From 19a6b0a33066b81ceabf0a8e883c597d333ec4ad Mon Sep 17 00:00:00 2001 From: mickael e Date: Mon, 15 Apr 2019 14:10:53 -0400 Subject: [PATCH 1/4] Update Jinja to 2.10.1 Address CVE-2019-10906 develop-requirements uses Molecule and the version of Jinja used by Molecule is locked in https://github.com/ansible/molecule/blob/master/setup.cfg#L80 . This will require an upsteam change as pip will not be able to compile the requirements. --- admin/requirements.txt | 7 +++---- .../requirements/securedrop-app-code-requirements.in | 2 +- .../requirements/securedrop-app-code-requirements.txt | 2 +- securedrop/requirements/test-requirements.txt | 2 +- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/admin/requirements.txt b/admin/requirements.txt index e37918e268..d5fae836ae 100644 --- a/admin/requirements.txt +++ b/admin/requirements.txt @@ -103,10 +103,9 @@ idna==2.6 \ ipaddress==1.0.19 \ --hash=sha256:200d8686011d470b5e4de207d803445deee427455cd0cb7c982b68cf82524f81 \ # via cryptography -jinja2==2.10 \ - --hash=sha256:74c935a1b8bb9a3947c50a54766a969d4846290e1e788ea44c1392163723c3bd \ - --hash=sha256:f84be1bb0040caca4cea721fcbbbbd61f9be9464ca236387158b0feea01914a4 \ - # via ansible +jinja2==2.10.1 \ + --hash=sha256:065c4f02ebe7f7cf559e49ee5a95fb800a9e4528727aec6f24402a5374c65013 \ + --hash=sha256:14dd6caf1527abb21f08f86c784eac40853ba93edb79552aa1e4b8aef1b61c7b markupsafe==1.0 \ --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665 \ # via jinja2 diff --git a/securedrop/requirements/securedrop-app-code-requirements.in b/securedrop/requirements/securedrop-app-code-requirements.in index f9ec691004..75702557ff 100644 --- a/securedrop/requirements/securedrop-app-code-requirements.in +++ b/securedrop/requirements/securedrop-app-code-requirements.in @@ -6,7 +6,7 @@ Flask-Babel Flask-SQLAlchemy Flask-WTF Flask>0.12.2 -Jinja2 +Jinja2>=2.10.1 jsmin passlib pretty-bad-protocol>=3.1.1 diff --git a/securedrop/requirements/securedrop-app-code-requirements.txt b/securedrop/requirements/securedrop-app-code-requirements.txt index 9d010f6562..b7871e9cf1 100644 --- a/securedrop/requirements/securedrop-app-code-requirements.txt +++ b/securedrop/requirements/securedrop-app-code-requirements.txt @@ -19,7 +19,7 @@ flask-wtf==0.14.2 flask==1.0.2 ipaddress==1.0.22 # via cryptography itsdangerous==0.24 # via flask -jinja2==2.10 +jinja2==2.10.1 jsmin==2.2.2 mako==1.0.7 # via alembic markupsafe==1.0 # via jinja2, mako diff --git a/securedrop/requirements/test-requirements.txt b/securedrop/requirements/test-requirements.txt index 05d90f9f20..11224d0ae1 100644 --- a/securedrop/requirements/test-requirements.txt +++ b/securedrop/requirements/test-requirements.txt @@ -17,7 +17,7 @@ flask==1.0.2 # via flask-testing funcsigs==1.0.2 # via mock, pytest idna==2.8 # via requests itsdangerous==0.24 # via flask -jinja2==2.10 # via flask +jinja2==2.10.1 # via flask markupsafe==1.0 # via jinja2 mock==2.0.0 pbr==3.1.1 # via mock From 45fcd7b03340a075412c54b9c6d529b51b27266c Mon Sep 17 00:00:00 2001 From: mickael e Date: Mon, 15 Apr 2019 14:28:29 -0400 Subject: [PATCH 2/4] Bump Ansible to 2.6.14 Address CVE-2019-3828 --- admin/requirements.txt | 4 ++-- .../ansible-base/callback_plugins/ansible_version_check.py | 2 +- securedrop/requirements/develop-requirements.txt | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/admin/requirements.txt b/admin/requirements.txt index d5fae836ae..ab3611d69a 100644 --- a/admin/requirements.txt +++ b/admin/requirements.txt @@ -4,8 +4,8 @@ # # pip-compile --generate-hashes --output-file requirements.txt requirements.in requirements-ansible.in # -ansible==2.6.8 \ - --hash=sha256:012649806427e630ef8e8b71d42483af882bc39ade3b19e1f369b14c0afd5b87 +ansible==2.6.14 \ + --hash=sha256:412f130f4c5d1953ccd95f01b5a4675cbff4ba225762bafb74a2f3bb6c807827 asn1crypto==0.24.0 \ --hash=sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87 \ --hash=sha256:9d5c20441baf0cb60a4ac34cc447c6c189024b6b4c6cd7877034f4965c464e49 \ diff --git a/install_files/ansible-base/callback_plugins/ansible_version_check.py b/install_files/ansible-base/callback_plugins/ansible_version_check.py index 70e74eee28..f0f50a881f 100644 --- a/install_files/ansible-base/callback_plugins/ansible_version_check.py +++ b/install_files/ansible-base/callback_plugins/ansible_version_check.py @@ -21,7 +21,7 @@ class CallbackModule(CallbackBase): def __init__(self): # Can't use `on_X` because this isn't forwards compatible # with Ansible 2.0+ - required_version = '2.6.8' # Keep synchronized with requirements files + required_version = '2.6.14' # Keep synchronized with requirements files if not ansible.__version__.startswith(required_version): print_red_bold( "SecureDrop restriction: only Ansible {version}.*" diff --git a/securedrop/requirements/develop-requirements.txt b/securedrop/requirements/develop-requirements.txt index d8c352b0d2..26081d64c9 100644 --- a/securedrop/requirements/develop-requirements.txt +++ b/securedrop/requirements/develop-requirements.txt @@ -6,7 +6,7 @@ # alabaster==0.7.10 # via sphinx ansible-lint==3.4.23 # via molecule -ansible==2.6.8 +ansible==2.6.14 anyconfig==0.9.7 # via molecule apipkg==1.4 # via execnet argh==0.26.2 # via sphinx-autobuild, watchdog From 2f0d1414e3c29b0bb04505b768ca4e2ba8d64ecf Mon Sep 17 00:00:00 2001 From: mickael e Date: Tue, 16 Apr 2019 13:11:05 -0400 Subject: [PATCH 3/4] Update SQLAlchemy to 1.3.0 Address CVE-2019-7164 and CVE-2019-7548 --- securedrop/requirements/securedrop-app-code-requirements.in | 2 +- securedrop/requirements/securedrop-app-code-requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/securedrop/requirements/securedrop-app-code-requirements.in b/securedrop/requirements/securedrop-app-code-requirements.in index 75702557ff..4484cca207 100644 --- a/securedrop/requirements/securedrop-app-code-requirements.in +++ b/securedrop/requirements/securedrop-app-code-requirements.in @@ -17,6 +17,6 @@ redis rq scrypt sh -SQLAlchemy +SQLAlchemy>=1.3.0 typing Werkzeug diff --git a/securedrop/requirements/securedrop-app-code-requirements.txt b/securedrop/requirements/securedrop-app-code-requirements.txt index b7871e9cf1..17f9b861e0 100644 --- a/securedrop/requirements/securedrop-app-code-requirements.txt +++ b/securedrop/requirements/securedrop-app-code-requirements.txt @@ -37,7 +37,7 @@ rq==0.10.0 scrypt==0.8.0 sh==1.12.14 six==1.11.0 # via argon2-cffi, cryptography, python-dateutil, qrcode -sqlalchemy==1.2.0 +sqlalchemy==1.3.3 typing==3.6.4 webassets==0.12.1 # via flask-assets werkzeug==0.14.1 From 53ef10666ffa06cbe846646cf9470401f8b25ebc Mon Sep 17 00:00:00 2001 From: mickael e Date: Tue, 16 Apr 2019 15:56:17 -0400 Subject: [PATCH 4/4] Fix Journalist interface test SQLAlchemy output has changed slightly in newer versions. --- securedrop/tests/test_journalist.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/securedrop/tests/test_journalist.py b/securedrop/tests/test_journalist.py index 324ada9bae..137bff7fdf 100644 --- a/securedrop/tests/test_journalist.py +++ b/securedrop/tests/test_journalist.py @@ -1148,10 +1148,10 @@ def test_admin_add_user_integrity_error(journalist_app, test_admin, mocker): log_event = mocked_error_logger.call_args[0][0] if six.PY2: assert ("Adding user 'username' failed: (__builtin__.NoneType) " - "None [SQL: 'STATEMENT'] [parameters: 'PARAMETERS']") in log_event + "None\n[SQL: STATEMENT]\n[parameters: 'PARAMETERS']") in log_event else: assert ("Adding user 'username' failed: (builtins.NoneType) " - "None [SQL: 'STATEMENT'] [parameters: 'PARAMETERS']") in log_event + "None\n[SQL: STATEMENT]\n[parameters: 'PARAMETERS']") in log_event def test_logo_upload_with_valid_image_succeeds(journalist_app, test_admin):