Skip to content

Bump the pip group across 6 directories with 3 updates #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump the pip group across 6 directories with 3 updates #3

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github May 21, 2024

Bumps the pip group with 3 updates in the /apps/linode-marketplace-docker directory: ansible, pymysql and dnspython.
Bumps the pip group with 3 updates in the /apps/linode-marketplace-keplerbuilder directory: ansible, pymysql and dnspython.
Bumps the pip group with 3 updates in the /apps/linode-marketplace-lamp directory: ansible, pymysql and dnspython.
Bumps the pip group with 3 updates in the /apps/linode-marketplace-lemp directory: ansible, pymysql and dnspython.
Bumps the pip group with 3 updates in the /apps/linode-marketplace-woocommerce directory: ansible, pymysql and dnspython.
Bumps the pip group with 3 updates in the /apps/linode-marketplace-wordpress directory: ansible, pymysql and dnspython.

Updates ansible from 6.0.0 to 8.5.0

Commits

Updates pymysql from 1.0.2 to 1.1.1

Release notes

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

Merged PRs

New Contributors

Full Changelog: PyMySQL/PyMySQL@v1.1.0...v1.1.1

v1.1.0

What's Changed

... (truncated)

Changelog

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

  • Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
  • Added ssl_key_password param. #1145

v1.1.0

Release date: 2023-06-26

  • Fixed SSCursor raising OperationalError for query timeouts on wrong statement (#1032)
  • Exposed Cursor.warning_count to check for warnings without additional query (#1056)
  • Make Cursor iterator (#995)
  • Support '_' in key name in my.cnf (#1114)
  • Cursor.fetchall() returns empty list instead of tuple (#1115). Note that Cursor.fetchmany() still return empty tuple after reading all rows for compatibility with Django.
  • Deprecate Error classes in Cursor class (#1117)
  • Add Connection.set_character_set(charset, collation=None). This method is compatible with mysqlclient. (#1119)
  • Deprecate Connection.set_charset(charset) (#1119)
  • New connection always send "SET NAMES charset [COLLATE collation]" query. (#1119) Since collation table is vary on MySQL server versions, collation in handshake is fragile.
  • Support charset="utf8mb3" option (#1127)

v1.0.3

Release date: 2023-03-28

Commits

Updates dnspython from 2.2.1 to 2.6.1

Release notes

Sourced from dnspython's releases.

dnspython 2.6.1

See What's New for details.

This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously suppressed legitimate Truncated exceptions. This caused the stub resolver to timeout instead of failing over to TCP when a legitimate truncated response was received over UDP.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.6.0

See What's New for details.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.5.0

See the What's New page for a summary of this release.

Thanks to all the contributors, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.4.2

This is a bug fix release, see the What's New page in the documentation for a summary.

Thanks to the people who reported the bugs and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Changelog

Sourced from dnspython's changelog.

2.6.1

  • The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from failing over to TCP and causing the query to timeout #1053.

2.6.0

  • As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query.

    This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

  • Added support for the NSID EDNS option.

  • Dnspython now looks for version metadata for optional packages and will not use them if they are too old. This prevents possible exceptions when a feature like DoH is not desired in dnspython, but an old httpx is installed along with dnspython for some other purpose.

  • The DoHNameserver class now allows GET to be used instead of the default POST, and also passes source and source_port correctly to the underlying query methods.

2.5.0

  • Dnspython now uses hatchling for builds.

  • Asynchronous destinationless sockets now work on Windows.

  • Cython is no longer supported due to various typing issues.

  • Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses. Previously it was possible for non-canonical IPv6 forms to be stored in a AAAA address, which would work correctly but possibly cause problmes if the address were used as a key in a dictionary.

  • The number of messages in a section can be retrieved with section_count().

  • Truncation preferences for messages can be specified.

  • The length of a message can be automatically prepended when rendering.

... (truncated)

Commits
  • 0a742b9 update CI
  • 0ea5ad0 The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)
  • f12d398 2.6.1 version prep
  • cecb853 Further improve CVE fix coverage to 100% for sync and async.
  • 7952e31 test IgnoreErrors
  • e093299 For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.
  • 3af9f78 2.6.0 versioning
  • ca63d95 Require cryptography >=41 instead of 42.
  • 902cbf3 Create CODE_OF_CONDUCT.md
  • ed9795f github contributing and pull request template
  • Additional commits viewable in compare view

Updates ansible from 6.0.0 to 8.5.0

Commits

Updates pymysql from 1.0.2 to 1.1.1

Release notes

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

Merged PRs

New Contributors

Full Changelog: PyMySQL/PyMySQL@v1.1.0...v1.1.1

v1.1.0

What's Changed

... (truncated)

Changelog

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

  • Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
  • Added ssl_key_password param. #1145

v1.1.0

Release date: 2023-06-26

  • Fixed SSCursor raising OperationalError for query timeouts on wrong statement (#1032)
  • Exposed Cursor.warning_count to check for warnings without additional query (#1056)
  • Make Cursor iterator (#995)
  • Support '_' in key name in my.cnf (#1114)
  • Cursor.fetchall() returns empty list instead of tuple (#1115). Note that Cursor.fetchmany() still return empty tuple after reading all rows for compatibility with Django.
  • Deprecate Error classes in Cursor class (#1117)
  • Add Connection.set_character_set(charset, collation=None). This method is compatible with mysqlclient. (#1119)
  • Deprecate Connection.set_charset(charset) (#1119)
  • New connection always send "SET NAMES charset [COLLATE collation]" query. (#1119) Since collation table is vary on MySQL server versions, collation in handshake is fragile.
  • Support charset="utf8mb3" option (#1127)

v1.0.3

Release date: 2023-03-28

Commits

Updates dnspython from 2.2.1 to 2.6.1

Release notes

Sourced from dnspython's releases.

dnspython 2.6.1

See What's New for details.

This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously suppressed legitimate Truncated exceptions. This caused the stub resolver to timeout instead of failing over to TCP when a legitimate truncated response was received over UDP.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.6.0

See What's New for details.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.5.0

See the What's New page for a summary of this release.

Thanks to all the contributors, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.4.2

This is a bug fix release, see the What's New page in the documentation for a summary.

Thanks to the people who reported the bugs and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Changelog

Sourced from dnspython's changelog.

2.6.1

  • The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from failing over to TCP and causing the query to timeout #1053.

2.6.0

  • As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query.

    This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

  • Added support for the NSID EDNS option.

  • Dnspython now looks for version metadata for optional packages and will not use them if they are too old. This prevents possible exceptions when a feature like DoH is not desired in dnspython, but an old httpx is installed along with dnspython for some other purpose.

  • The DoHNameserver class now allows GET to be used instead of the default POST, and also passes source and source_port correctly to the underlying query methods.

2.5.0

  • Dnspython now uses hatchling for builds.

  • Asynchronous destinationless sockets now work on Windows.

  • Cython is no longer supported due to various typing issues.

  • Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses. Previously it was possible for non-canonical IPv6 forms to be stored in a AAAA address, which would work correctly but possibly cause problmes if the address were used as a key in a dictionary.

  • The number of messages in a section can be retrieved with section_count().

  • Truncation preferences for messages can be specified.

  • The length of a message can be automatically prepended when rendering.

... (truncated)

Commits
  • 0a742b9 update CI
  • 0ea5ad0 The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)
  • f12d398 2.6.1 version prep
  • cecb853 Further improve CVE fix coverage to 100% for sync and async.
  • 7952e31 test IgnoreErrors
  • e093299 For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.
  • 3af9f78 2.6.0 versioning
  • ca63d95 Require cryptography >=41 instead of 42.
  • 902cbf3 Create CODE_OF_CONDUCT.md
  • ed9795f github contributing and pull request template
  • Additional commits viewable in compare view

Updates ansible from 6.0.0 to 8.5.0

Commits

Updates pymysql from 1.0.2 to 1.1.1

Release notes

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

Merged PRs

New Contributors

Full Changelog: PyMySQL/PyMySQL@v1.1.0...v1.1.1

v1.1.0

What's Changed

... (truncated)

Changelog

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

  • Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
  • Added ssl_key_password param. #1145

v1.1.0

Release date: 2023-06-26

  • Fixed SSCursor raising OperationalError for query timeouts on wrong statement (#1032)
  • Exposed Cursor.warning_count to check for warnings without additional query (#1056)
  • Make Cursor iterator (#995)
  • Support '_' in key name in my.cnf (#1114)
  • Cursor.fetchall() returns empty list instead of tuple (#1115). Note that Cursor.fetchmany() still return empty tuple after reading all rows for compatibility with Django.
  • Deprecate Error classes in Cursor class (#1117)
  • Add Connection.set_character_set(charset, collation=None). This method is compatible with mysqlclient. (#1119)
  • Deprecate Connection.set_charset(charset) (#1119)
  • New connection always send "SET NAMES charset [COLLATE collation]" query. (#1119) Since collation table is vary on MySQL server versions, collation in handshake is fragile.
  • Support charset="utf8mb3" option (#1127)

v1.0.3

Release date: 2023-03-28

Commits

@dependabot
d79417f 
---
updated-dependencies:
- dependency-name: ansible
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dnspython
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ansible
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dnspython
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ansible
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dnspython
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ansible
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dnspython
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ansible
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dnspython
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ansible
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dnspython
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 21, 2024
@dependabot dependabot bot mentioned this pull request May 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants