- Update urllib3 from v1.25.9 to v1.26.5
- Update requests from v2.22.0 to v2.28.1
There's a medium severity CVE in urllib3, before v1.26.5, but we can't
only just update urllib3 because there will be a dependency conflict.
requests also needs to be updated.
CVE reference:
https://www.cve.org/CVERecord?id=CVE-2021-33503
> An issue was discovered in urllib3 before 1.26.5. When provided with a
> URL containing many @ characters in the authority component, the
> authority regular expression exhibits catastrophic backtracking,
> causing a denial of service if a URL were passed as a parameter or
> redirected to via an HTTP redirect.
Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>
https://www.cve.org/CVERecord?id=CVE-2020-26137
> urllib3 before 1.25.9 allows CRLF injection if the attacker controls
> the HTTP request method, as demonstrated by inserting CR and LF
> control characters in the first argument of putrequest(). NOTE: this
> is similar to CVE-2020-26116.
Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>
- Tox py3.7 + pipenv
- Python3 Dockerfile.py
- Dockerfile.py tags remote instead of just local image names now
- Circle.sh instead of in-line circle.yml script breakout
- probably other stuff I forgot
- Docker images build during the tests should hopefullly now be available at the deploy job workflow thanks to shared docker layers.
- Rename aarch64 to arm64 to reduce custom map