security update: gunicorn, magpie, docker base

Ouranosinc · Apr 27, 2024 · 5a9f36c · 5a9f36c
1 parent e2aa533
commit 5a9f36c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -7,18 +7,25 @@ Changes
 `Unreleased <https://github.com/Ouranosinc/cowbird/tree/master>`_ (latest)
 ------------------------------------------------------------------------------------
 
-* Nothing yet.
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
+* Pin ``gunicorn>=22`` to address CVE-2024-1135.
+* Pin Docker base to ``python:3.11-alpine3.19`` for various security fixes.
+* Update ``magpie==4.0.0`` for corresponding fixes
+  (see `Changes: magpie @ 4.0.0 <https://github.com/Ouranosinc/Magpie/blob/master/CHANGES.rst#400-2024-04-26>`_).
 
 `2.3.0 <https://github.com/Ouranosinc/cowbird/tree/2.3.0>`_ (2023-11-30)
 ------------------------------------------------------------------------------------
 
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
 * Add optional key ``field`` and ``regex`` to be used in the ``sync_permissions`` section found in the config.
   This allows to sync permissions using a field other than ``resource_full_name`` when creating the ``name:type``
   from the segment ``ex.: /field1::type1/field2::type2``. Adds support to use ``resource_display_name``.
 * The ``regex`` is used to extract the desired information from the ``nametype_path``. It should be used to do an
   exact match. This new search overrides the default way of matching each segment with the ``nametype_path``.
   In the case where a ``regex`` is found in the target segment, the data will be formed using the same ``resource_type``
-  for every match in the same segment. Similary, as using ``- name: "**"`` in the config to match multiple segment,
+  for every match in the same segment. Similarly, as using ``- name: "**"`` in the config to match multiple segment,
   it is possible to use a ``regex`` to match multiple resources in the same segment with ``regex: '(?<=:).*\/?(?=\/)'``
 
 `2.2.0 <https://github.com/Ouranosinc/cowbird/tree/2.2.0>`_ (2023-11-16)

diff --git a/docker/Dockerfile-base b/docker/Dockerfile-base
@@ -1,4 +1,4 @@
-FROM python:3.10-alpine
+FROM python:3.11-alpine3.19
 LABEL description.short="Cowbird base"
 LABEL description.long="Cowbird middleware to manage interactions between various birds of the bird-house stack."
 LABEL Maintainer="Ouranos, CRIM"

diff --git a/requirements.txt b/requirements.txt
@@ -5,9 +5,8 @@ cornice>=5
 cornice_swagger>=0.7.0
 dicttoxml>=1.7.16
 # flag --paste breaks for >20 unless using pserve
-gunicorn<20; python_version < "3.5"  # pyup: ignore
 gunicorn>=20
-magpie @ git+https://github.com/Ouranosinc/Magpie@3.34.0
+magpie @ git+https://github.com/Ouranosinc/Magpie@4.0.0
 paste
 pastedeploy
 pymongo[srv]>=4.4,<5  # required to work with pinned celery