update requests>=2.32 and docker>=7.1 (address CVE-2024-35195, closes #…

…650, closes #651)
crim-ca · May 23, 2024 · 34fc859 · 34fc859
1 parent e166157
commit 34fc859
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 11 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -41,13 +41,11 @@ Fixes:
 - Fix `CWL` ``Workflow`` resolution of step ``requirements`` from one of the `Weaver` application types
   (i.e.: ``builtin``, ``docker``, ``ESGF-CWT``, ``OGCAPI``, ``WPS1``) due to ``cwltool`` namespace adding a
   prefixed URI.
-- Pin ``requests!=2.32`` to avoid issue with ``docker-py`` custom adapter not (yet) supporting it
+- Pin ``requests>=2.32`` and ``docker>=7.1`` (Python Package) to address
+  `CVE-2024-35195 <https://nvd.nist.gov/vuln/detail/CVE-2024-35195>`_ to avoid inconsistent ``verify``
+  option over multiple requests when using a session
   (relates to `psf/requests#6710 <https://github.com/psf/requests/pull/6710>`_
   and `docker/docker-py#3257 <https://github.com/docker/docker-py/pull/3257>`_).
-  Pinning ``requests>=2.32.2`` *should* be applied when possible (when ``docker-py`` is released) to address
-  `CVE-2024-35195 <https://nvd.nist.gov/vuln/detail/CVE-2024-35195>`_. However, the corresponding ``verify=False``
-  option affected by this CVE is not recommended for use in `Weaver`, and should be avoided entirely anyway.
-  Could affect *requests options* if the corresponding ``verify: false`` configuration was employed.
 
 .. _changes_5.3.0:
 

diff --git a/requirements.txt b/requirements.txt
@@ -33,7 +33,7 @@ cryptography
 # (https://github.com/common-workflow-language/common-workflow-language/issues/587)
 ### git+https://github.com/crim-ca/cwltool@docker-gpu#egg=cwltool
 cwltool==3.1.20230906142556
-docker
+docker>=7.1
 duration
 esgf-compute-api @ git+https://github.com/ESGF/esgf-compute-api.git@v2.3.7
 # invalid 'zarr' requirement in 'geotiff' dependencies required by 'pywps' fail to install
@@ -82,11 +82,7 @@ pytz
 pywps==4.6.0
 pyyaml>=5.2
 rdflib>=5  # pyup: ignore
-# FIXME: temporary workaround
-# 'requests=2.32' needed for CVE-2024-35195
-# (https://github.com/psf/requests/releases/tag/v2.32.0, https://github.com/psf/requests/pull/6710)
-# however, https://github.com/docker/docker-py/pull/3257 not yet released, 'docker-py' broken by 'requests=2.32' change
-requests!=2.32.*
+requests>=2.32
 requests_file
 ruamel.yaml>=0.16
 # force use of later mistune (https://github.com/common-workflow-language/schema_salad/pull/619#issuecomment-1346025607)