From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 583D9D811BC for ; Wed, 8 May 2024 08:09:46 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=KGbDH2pTkQylwt3ya0niLOF7GTG1IbNUcPGByDGUeGY=; c=relaxed/simple; d=groups.io; h=Received-SPF:From:To:CC:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20240206; t=1715155784; v=1; b=aScwTRM0MhLbO6y+wg3J3PrL2B5PV07I4MFk0kC0WrjReN6KqtOzjT0gvb/BPgBlizRW1jxR gGD8dhaW2EHdSNJMqgAMwl8KV9YGE/SN5EP8XMfflxNRId8F/Z8t3ZGP1+sze9Bjz+IWu9/Ggws tyrQkekNTSH/+GuFkTRojmodaioS93TlZUnzpbIc8eUDOdIkobrJ9n89a6G9D/GSYlQCHvzpziR 34Idlrw+861RCb1lO+LTjV4W5FYK8/UAgJ2QNne1E18iG9YybpVqrH8WTEU4zbmTNHTe8NFY9YF foXb8G52UcHC9M3r8SfFDlaupMPHX7AIEuBOVnkloGyKA== X-Received: by 127.0.0.2 with SMTP id zBWnYY7687511xGSbCSiDul9; Wed, 08 May 2024 01:09:44 -0700 X-Received: from NAM02-SN1-obe.outbound.protection.outlook.com (NAM02-SN1-obe.outbound.protection.outlook.com [40.107.96.88]) by mx.groups.io with SMTP id smtpd.web10.7121.1715155783971999438 for ; Wed, 08 May 2024 01:09:44 -0700 X-Received: from MW4PR03CA0216.namprd03.prod.outlook.com (2603:10b6:303:b9::11) by DS0PR12MB8366.namprd12.prod.outlook.com (2603:10b6:8:f9::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.45; Wed, 8 May 2024 08:09:39 +0000 X-Received: from CO1PEPF000066E9.namprd05.prod.outlook.com (2603:10b6:303:b9:cafe::16) by MW4PR03CA0216.outlook.office365.com (2603:10b6:303:b9::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.42 via Frontend Transport; Wed, 8 May 2024 08:09:39 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C X-Received: from mail.nvidia.com (216.228.117.160) by CO1PEPF000066E9.mail.protection.outlook.com (10.167.249.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.18 via Frontend Transport; Wed, 8 May 2024 08:09:38 +0000 X-Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Wed, 8 May 2024 01:09:23 -0700 X-Received: from NV-CL38DL3.nvidia.com (10.126.230.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Wed, 8 May 2024 01:09:20 -0700 From: "Nickle Wang via groups.io" To: CC: Abner Chang , Igor Kulchytskyy , "Nick Ramirez" Subject: [edk2-devel] [edk2-redfish-client][PATCH] Tool/Redfish-Profile-Simulator: fix Werkzeug security issue Date: Wed, 8 May 2024 16:09:12 +0800 Message-ID: <20240508080912.1914-1-nicklew@nvidia.com> MIME-Version: 1.0 X-NVConfidentiality: public X-Originating-IP: [10.126.230.35] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF000066E9:EE_|DS0PR12MB8366:EE_ X-MS-Office365-Filtering-Correlation-Id: e7a89dc3-698d-4466-32fe-08dc6f36352c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?eOLH+4fw35KIiPJ/Ie9maL5YQiQYBeiYc8WJ3Xfz+I9KCUP7HH4qPpUXrD72?= =?us-ascii?Q?EOwKC9v1Od1Kr91sPkuS98rJDNMT4glKZWfwGEV08n6hlEDbCUi2w1HSi1O+?= =?us-ascii?Q?1IUA5h/XUS4ukRZEYcdjsveurFIzi8+yLs/shgaVcQDq2c2LqmhJPbrGJA/Z?= =?us-ascii?Q?jFlRYUImSfFAIFLIvWUfYeDW0kprL6eyfaZ/h5yvlRoLHtZCMT51cTspzXOv?= =?us-ascii?Q?DRC67W+H+klXaQabQ55bw81PT0Kcn+O22xA0ZD/y3f0vA5kXv4zSPtHynxUP?= =?us-ascii?Q?V9/2R4Pz7bf8cnPriunuOT2jaa2oWAh8Qa+LHekdIrlImTdKqfsDQHDT7MG8?= =?us-ascii?Q?bzijjYHVqprPI+MokPifcO+QhDzCAQc6l51w/vsheIpGU9E+O1ra51X99GCV?= =?us-ascii?Q?F96hUZ9EfZTiLb56jlzZ2cIA+hgbanQOWKhOqL52hdG2GCiCp4ew4kl3/ypu?= =?us-ascii?Q?spJss2cbyonTciAKw2+4cOV8wYZVUh9SG/IBNsuIyQqSfFyldtcVCEuhxOEf?= =?us-ascii?Q?dpCpjvkf86BMVuvMUNPVTVK4MD5hHqn8A8jC1/box734yZME4A+9klRb+cRZ?= =?us-ascii?Q?KiCbbaFXZoO2NCN2q80kufLxhI1gzbUCgjiJ5tIzuKwOujdW+SCVe8kB6DBn?= =?us-ascii?Q?a1T1Ni6Uc3Uz1pfQwnzKCgiPfREfQ9xy1WwI3/pn/yCUcFRSMPTwKzwUXkH3?= =?us-ascii?Q?5PGcSfe+LysPM/e/gKHAqeOPx1y1xtovuBSTjppL7B2eKxLSZWt3Q0j0xs14?= =?us-ascii?Q?aLWA6Me+C/i34lS+PpdgHQPtGYhDeI0yz9JjRoZdh43MSeSEX+w4NdgNSLRz?= =?us-ascii?Q?ORVNPcgKP56doS0dpZjAOMwLPZmdIbwJNP4ciZ08Jv4L3B74Fkpl31R+Ab8S?= =?us-ascii?Q?7/O7AlhjHWcaQys618jWPk/+BG9k4YteftgvGTvbCTEuwTaLCA+pbbSDnyi6?= =?us-ascii?Q?cl1JTECndsd9pXIr7yElqx+W+LHY41n1HM8Bh5kQcC3W1Wa+1sjg93172YOz?= =?us-ascii?Q?WTxvDcxKRA0mOhwJT+5EMNYNiaZFkqIjvD5K5Z7RwXmIHtfHtul23rcmsRmn?= =?us-ascii?Q?O4EfwNdrUJ416Sf5q4CpUx5zpfiyxrA5GMvLpybpDLuR0Btk9vrz4yN7/zag?= =?us-ascii?Q?q1hu1OlzkAKhTPGV3aMhYXCbIV4GneVvD+ZUyE7ZkkzRALZIqaz8emd4/qUg?= =?us-ascii?Q?fl4TwFnsumOBIKq9rMmVz9H0RgdcHGK3UbNCT99ufJ090zHdJOcUDNgLCAUG?= =?us-ascii?Q?IwY5VsEVqXQYgWpVX9fBCSIjZrml7vBlgS31apoU7DQjTBIOrAyQ7ErJMWuE?= =?us-ascii?Q?b6XV9v2AtHjMWhYwCS0TmoEJ26gcU2e0gqdcMQmUO+mIF2SaNhbbRVQOb0dS?= =?us-ascii?Q?2CpK07gqg6M4fO2M9EVJpifR3AcF?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 May 2024 08:09:38.9836 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e7a89dc3-698d-4466-32fe-08dc6f36352c X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000066E9.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB8366 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 08 May 2024 01:09:44 -0700 Resent-From: nicklew@nvidia.com Reply-To: devel@edk2.groups.io,nicklew@nvidia.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: L9rlyxMAka0uHCDc8Bl9gSkKx7686176AA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-Spam-Flag: yes X-Spam-Level: ************ X-GND-Spam-Score: 190 X-GND-Status: SPAM Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=aScwTRM0; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=pass (policy=none) header.from=groups.io Upgrade Werkzeug to version 3.0.3 to address CVE-2024-34069 Signed-off-by: Nickle Wang Cc: Abner Chang Cc: Igor Kulchytskyy Cc: Nick Ramirez --- Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py | 7 ++++--- Tools/Redfish-Profile-Simulator/requirements.txt | 6 ++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py b/T= ools/Redfish-Profile-Simulator/redfishProfileSimulator.py index 91c792a2b..58697328a 100644 --- a/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py +++ b/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py @@ -1,6 +1,7 @@ # Copyright Notice: # # Copyright (c) 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved= . # SPDX-License-Identifier: BSD-2-Clause-Patent # # Copyright Notice: @@ -89,8 +90,8 @@ class PreconditionRequired(werkzeug.exceptions.HTTPExcept= ion): =20 def main(argv): #Monkey patch the set_etag() method for conditional request. - _old_set_etag =3D werkzeug.ETagResponseMixin.set_etag - @functools.wraps(werkzeug.ETagResponseMixin.set_etag) + _old_set_etag =3D werkzeug.wrappers.Response.set_etag + @functools.wraps(werkzeug.wrappers.Response.set_etag) def _new_set_etag(self, etag, weak=3DFalse): # only check the first time through; when called twice # we're modifying @@ -107,7 +108,7 @@ def main(argv): raise NotModified flask.g.condtnl_etags_start =3D False _old_set_etag(self, etag, weak) - werkzeug.ETagResponseMixin.set_etag =3D _new_set_etag + werkzeug.wrappers.Response.set_etag =3D _new_set_etag =20 # set default option args rf_profile_path =3D os.path.abspath("./MockupData/SimpleOcpServerV1") diff --git a/Tools/Redfish-Profile-Simulator/requirements.txt b/Tools/Redfi= sh-Profile-Simulator/requirements.txt index 359a81446..83d2d8130 100644 --- a/Tools/Redfish-Profile-Simulator/requirements.txt +++ b/Tools/Redfish-Profile-Simulator/requirements.txt @@ -1,5 +1,3 @@ -Werkzeug=3D=3D0.16 -Jinja2=3D=3D3.0.3 -itsdangerous=3D=3D2.0.1 -flask=3D=3D1.1.1 +Werkzeug>=3D3.0.3 +flask=3D=3D3.0.0 pyOpenSSL --=20 2.34.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118664): https://edk2.groups.io/g/devel/message/118664 Mute This Topic: https://groups.io/mt/105977266/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-