Fix CVE-2023-40267 (ansible#14388)

TheRealHaoLiu · djyasin · commit dceb0e76c69b · 2024-11-11T09:54:13.000-05:00
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked https://bugzilla.redhat.com/show_bug.cgi?id=2231474 GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439. References: gitpython-developers/GitPython@ca965ec gitpython-developers/GitPython#1609
diff --git a/requirements/requirements.in b/requirements/requirements.in
@@ -26,7 +26,7 @@ django-split-settings==1.0.0    # We hit a strange issue where the release proce
 djangorestframework
 djangorestframework-yaml
 filelock
-GitPython>=3.1.30  # CVE-2022-24439
+GitPython>=3.1.32  # CVE-2023-40267
 hiredis==2.0.0  # see UPGRADE BLOCKERs
 irc
 jinja2
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
@@ -155,7 +155,7 @@ frozenlist==1.3.3
     #   aiosignal
 gitdb==4.0.10
     # via gitpython
-gitpython==3.1.30
+gitpython==3.1.32
     # via -r /awx_devel/requirements/requirements.in
 google-auth==2.14.1
     # via kubernetes
