Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pyup: Scheduled weekly dependency update for week 24 #8262

Merged
merged 12 commits into from Jun 15, 2021

Conversation

pyup-bot
Copy link
Collaborator

Update django from 2.2.23 to 2.2.24.

Changelog

2.2.24

===========================

*June 2, 2021*

Django 2.2.24 fixes two security issues in 2.2.23.

CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================

Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
===========================================================================================================================

:class:`~django.core.validators.URLValidator`,
:func:`~django.core.validators.validate_ipv4_address`, and
:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
zeros in octal literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.

:func:`~django.core.validators.validate_ipv4_address` and
:func:`~django.core.validators.validate_ipv46_address` validators were not
affected on Python 3.9.5+.


===========================
Links

Update kombu from 5.0.2 to 5.1.0.

Changelog

5.1.0

=====
:release-date: 2021-05-23 7:00 P.M UTC+3:00
:release-by: Omer Katz

- Fix queue names special characters replacement for Azure Service Bus. (1324)
- Add support for SQLAlchemy 1.4. (1328)
- Coerce seconds argument to a floating point number in ``Timer.enter_after``. (1330)
- Add accept parameter to SimpleQueue class. (1140)
- ``prepare_accept_content()`` now raises ``SerializerNotInstalled`` instead of ``KeyError``. (1343)

.. _version-5.1.0b1:

5.1.0b1

=======
:release-date: 2021-04-01 10:30 P.M UTC+6:00
:release-by: Asiff Saif Uddin

- Wheels are no longer universal.
- Revert "Added redis transport key_prefix from envvars".
- Redis Transport: Small improvements of `SentinelChannel` (1253).
- Fix pidbox not using default channels.
- Revert "on worker restart - restore visible regardless to time (905)".
- Add vine to dependencies.
- Pin urllib3<1.26 to fix failing unittests.
- Add timeout to producer publish (1269).
- Remove python2 compatibility code (1277).
- redis: Support Sentinel with SSL.
- Support for Azure Service Bus 7.0.0 (1284).
- Allow specifying session token (1283).
- kombu/asynchronous/http/curl: implement _set_timeout.
- Disable namedtuple to object feature in simplejson (1297).
- Update to tox docker 2.0.
- SQS back-off policy (1301).
- Fixed SQS unittests.
- Fix: non kombu json message decoding in SQS transport (1306).
- Add Github Actions CI (1309).
- Update default pickle protocol version to 4 (1314).
- Update connection.py (1311).
- Drop support for the lzma backport.
- Drop obsolete code importing pickle (1315).
- Update default login method for librabbitmq and pyamqp (936).
- SQS Broker - handle STS authentication with AWS (1322).
- Min py-amqp version is v5.0.6 (1325).
- Numerous docs & example fixes.
- Use a thread-safe implementation of cached_property (1316).


.. _version-5.0.2:
Links

Update celery from 5.0.5 to 5.1.0.

Changelog

5.1.0

=====
:release-date: 2021-05-23 7:00 P.M UTC+3:00
:release-by: Omer Katz

- Fix queue names special characters replacement for Azure Service Bus. (1324)
- Add support for SQLAlchemy 1.4. (1328)
- Coerce seconds argument to a floating point number in ``Timer.enter_after``. (1330)
- Add accept parameter to SimpleQueue class. (1140)
- ``prepare_accept_content()`` now raises ``SerializerNotInstalled`` instead of ``KeyError``. (1343)

.. _version-5.1.0b1:

5.1.0rc1

========
:release-date: 2021-05-02 16.06 P.M UTC+3:00
:release-by: Omer Katz

- Celery Mailbox accept and serializer parameters are initialized from configuration. (6757)
- Error propagation and errback calling for group-like signatures now works as expected. (6746)
- Fix sanitization of passwords in sentinel URIs. (6765)
- Add LOG_RECEIVED to customize logging. (6758)

.. _version-5.1.0b2:

5.1.0b2

=======
:release-date: 2021-05-02 16.06 P.M UTC+3:00
:release-by: Omer Katz

- Fix the behavior of our json serialization which regressed in 5.0. (6561)
- Add support for SQLAlchemy 1.4. (6709)
- Safeguard against schedule entry without kwargs. (6619)
- ``task.apply_async(ignore_result=True)`` now avoids persisting the results. (6713)
- Update systemd tmpfiles path. (6688)
- Ensure AMQPContext exposes an app attribute. (6741)
- Inspect commands accept arguments again (6710).
- Chord counting of group children is now accurate. (6733)
- Add a setting :setting:`worker_cancel_long_running_tasks_on_connection_loss`
to terminate tasks with late acknowledgement on connection loss. (6654)
- The ``task-revoked`` event and the ``task_revoked` signal are not duplicated
when ``Request.on_failure`` is called. (6654)
- Restore pickling support for ``Retry``. (6748)
- Add support in the redis result backend for authenticating with a username. (6750)
- The :setting:`worker_pool` setting is now respected correctly. (6711)

.. _version-5.1.0b1:

5.1.0b1

=======
:release-date: 2021-04-01 10:30 P.M UTC+6:00
:release-by: Asiff Saif Uddin

- Wheels are no longer universal.
- Revert "Added redis transport key_prefix from envvars".
- Redis Transport: Small improvements of `SentinelChannel` (1253).
- Fix pidbox not using default channels.
- Revert "on worker restart - restore visible regardless to time (905)".
- Add vine to dependencies.
- Pin urllib3<1.26 to fix failing unittests.
- Add timeout to producer publish (1269).
- Remove python2 compatibility code (1277).
- redis: Support Sentinel with SSL.
- Support for Azure Service Bus 7.0.0 (1284).
- Allow specifying session token (1283).
- kombu/asynchronous/http/curl: implement _set_timeout.
- Disable namedtuple to object feature in simplejson (1297).
- Update to tox docker 2.0.
- SQS back-off policy (1301).
- Fixed SQS unittests.
- Fix: non kombu json message decoding in SQS transport (1306).
- Add Github Actions CI (1309).
- Update default pickle protocol version to 4 (1314).
- Update connection.py (1311).
- Drop support for the lzma backport.
- Drop obsolete code importing pickle (1315).
- Update default login method for librabbitmq and pyamqp (936).
- SQS Broker - handle STS authentication with AWS (1322).
- Min py-amqp version is v5.0.6 (1325).
- Numerous docs & example fixes.
- Use a thread-safe implementation of cached_property (1316).


.. _version-5.0.2:

5.0.6

=====
:release-date: 2021-04-01 10:45 A.M. UTC+6:00
:release-by: Asif Saif Uddin

- Change the order in which context.check_hostname and context.verify_mode get set
in SSLTransport._wrap_socket_sni. Fixes bug introduced in 5.0.3 where setting
context.verify_mode = ssl.CERT_NONE would raise
"ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled."
Setting context.check_hostname prior to setting context.verify_mode resolves the
issue.
- Remove TCP_USER_TIMEOUT option for Solaris (355) 
- Pass long_description to setup() (353)
- Fix for tox-docker 2.0
- Moved to GitHub actions CI (359)

.. _version-5.0.5:
Links

Update elasticsearch from 7.12.1 to 7.13.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update stripe from 2.57.0 to 2.58.0.

Changelog

2.58.0

* [722](https://github.com/stripe/stripe-python/pull/722) API Updates
* Add support for new `TaxCode` API.
Links

Update django-crispy-forms from 1.11.2 to 1.12.0.

Changelog

1.12.0

* Fixed rendering of grouped checkboxes and radio inputs in the Bootstrap 4 template pack. (1155)
* Introduced new `input_size` argument to `AppendedText`, `PrependedText` and `PrependedAppendedText`. This allows
the size of these grouped inputs to be changed in the Bootstrap 4 template pack. (1114)
* Confirmed support for Django 3.2
* Dropped support for Python 3.5
* Dropped support for Django 3.0

See the [1.12.0 Milestone](https://github.com/django-crispy-forms/django-crispy-forms/milestone/16?closed=1) for the full change list.
Links

Update ipdb from 0.13.7 to 0.13.9.

Changelog

0.13.9

-------------------

- Fix again when `pyproject.toml` does not contain `tool` section.
[markab108]

0.13.8

-------------------

- Fix when `pyproject.toml` does not contain `tool` section.
[anjos]

- Add the convenience function ``iex()``.
[alanbernstein]
Links

Update pytest-django from 4.3.0 to 4.4.0.

Changelog

4.4.0

-------------------

Improvements
^^^^^^^^^^^^

* Add a fixture :fixture:`django_capture_on_commit_callbacks` to capture
:func:`transaction.on_commit() <django.db.transaction.on_commit>` callbacks
in tests.
Links

Update pytest-cov from 2.12.0 to 2.12.1.

Changelog

2.12.1

-------------------

* Changed the `toml` requirement to be always be directly required (instead of being required through a coverage extra).
This fixes issues with pip-compile (`pip-tools1300 <https://github.com/jazzband/pip-tools/issues/1300>`_).
Contributed by Sorin Sbarnea in `472 <https://github.com/pytest-dev/pytest-cov/pull/472>`_.
* Documented ``show_contexts``.
Contributed by Brian Rutledge in `473 <https://github.com/pytest-dev/pytest-cov/pull/473>`_.
Links

Update execnet from 1.8.0 to 1.9.0.

Changelog

1.9.0

------------------

* Removed the ``apipkg`` dependency.

1.8.1

------------------

* Update calls of `threading.Event.isSet()` to `threading.Event.is_set()`, which avoids a deprecation warning with Python 3.10.
Links

Update requests-mock from 1.9.2 to 1.9.3.

Changelog

1.9.3

Minor improvement to typing annotations.
Links

Copy link
Member

@humitos humitos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can merge it after today's deployment.

@stsewd stsewd merged commit c3f0d4c into master Jun 15, 2021
@stsewd stsewd deleted the pyup/scheduled-update-2021-06-14 branch June 15, 2021 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants