From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 3B93794160E for ; Thu, 9 May 2024 12:46:00 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=PxGZzLAFG/wcVuY5smnVvaUiaSNuxKD6mx0ZgTBgzB8=; c=relaxed/simple; d=groups.io; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:msip_labels:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240206; t=1715258758; v=1; b=ShkOM1gGUMW1BvfYGIE4+ODfGp44danYZ6u+JfkBHbS515TdZQfjCsxm6dGqe8X4xcoQMnC7 ZUAicoNVj6Zol8o+nWQHt2MsYQmb3M2TeAuFeYtw+6qTt2BQ+ngmg7/uw/lZAiwhIBg6G53vhmG dbXWWgfCDFGVlK/LNiURh3m2gNBimObP6U1Xp0ZBERzjXv6u8tgCJEWH/3i75uTkZzM9q668xGP ChpGYyyGxByygjXytxm5mHAMMkyrma8cOQIJq14RMD20FFk1oFx0Nk6VQMGlOIiXz7lLWRG4kIa xq8OR/s+3jXPJPMs4ztv+7AP0vjzLCIN5BI4wqHbUgyOA== X-Received: by 127.0.0.2 with SMTP id JkkdYY7687511xrLuIomgKsP; Thu, 09 May 2024 05:45:58 -0700 X-Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.78]) by mx.groups.io with SMTP id smtpd.web11.9196.1715258757456584770 for ; Thu, 09 May 2024 05:45:57 -0700 X-Received: from LV8PR12MB9452.namprd12.prod.outlook.com (2603:10b6:408:200::8) by DS0PR12MB6558.namprd12.prod.outlook.com (2603:10b6:8:d2::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.48; Thu, 9 May 2024 12:45:54 +0000 X-Received: from LV8PR12MB9452.namprd12.prod.outlook.com ([fe80::9d67:b4b7:7bad:8c08]) by LV8PR12MB9452.namprd12.prod.outlook.com ([fe80::9d67:b4b7:7bad:8c08%7]) with mapi id 15.20.7544.036; Thu, 9 May 2024 12:45:54 +0000 From: "Chang, Abner via groups.io" To: Nickle Wang , "devel@edk2.groups.io" CC: Igor Kulchytskyy , Nick Ramirez Subject: Re: [edk2-devel] [edk2-redfish-client][PATCH] Tool/Redfish-Profile-Simulator: fix Werkzeug security issue Thread-Topic: [edk2-redfish-client][PATCH] Tool/Redfish-Profile-Simulator: fix Werkzeug security issue Thread-Index: AQHaoR8ZzZvctqkisUmsFemjWRN5K7GO20VQ Date: Thu, 9 May 2024 12:45:54 +0000 Message-ID: References: <20240508080912.1914-1-nicklew@nvidia.com> In-Reply-To: <20240508080912.1914-1-nicklew@nvidia.com> Accept-Language: en-US, zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ActionId=b007e47f-e5e5-4b2f-89db-82532f27ccd7;MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ContentBits=0;MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Enabled=true;MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Method=Standard;MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Name=General;MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SetDate=2024-05-09T12:45:22Z;MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SiteId=3dd8961f-e488-4e60-8e11-a82d994e183d; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: LV8PR12MB9452:EE_|DS0PR12MB6558:EE_ x-ms-office365-filtering-correlation-id: f09ff2db-00d2-422c-2d89-08dc7025f752 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: =?us-ascii?Q?/CQ5PL+4xDBkNqS7cXA3S0Z2VWcQ1x3tpMxMr1F91YxXHyNuHKjRoNqhE7S+?= =?us-ascii?Q?9mZmoDd6v/8L7mKpotF8FaGLK07Kza8FQxAdvJ/kV8vVgeqqGmTA1Ce8Uobe?= =?us-ascii?Q?vJgZKrj9pdeOHNlW+jVytcyv3TxlWjHDgrSvxth+VXtYuHo7S7d+sASx+56y?= =?us-ascii?Q?ICxtKJHpjTz60SdQ94NlrxsPpXcoPcFSUuDx1c8vikxykxUZLmDq7ltvGgZM?= =?us-ascii?Q?RrY+6H5XxB2DTrYzzLDgkRQbzuuutTo27ZnuZL7bzmmfBXLXawwRY4JNcjr+?= =?us-ascii?Q?pu4ibONSFPkVvX2tggHY5arSRz3SZyvok7ZjiidCktfHW6Mq7GxD6DvMnfZ5?= =?us-ascii?Q?6IjYgfDfLjgON8mdjzzIaAASnovDLNvSDjBm0Oyspl9W9QY7ONL1i3htw7QY?= =?us-ascii?Q?kaoe8Y8v0/RiqAwnBQi71AjtV4W8ShcUXhBWezIpzJ/gdaQ7PafO/9WQoq1i?= =?us-ascii?Q?2MylAIAdfgqmhmWBREszGXLr/GMJZuEuqgQz4xpX/iKLEHlzLtLjUv98tIZo?= =?us-ascii?Q?pHYSVOoZ5E8gEaxdn/n6J63J4ADRi4G3mYxKUgzSfe31pPwhu+f6xW4lSCpc?= =?us-ascii?Q?CDKNZnoz0KXlK9wqsDhRCzBFg8WH/pmaqxjX/i1bsAeXLTk9yQwOKdIF4a2b?= =?us-ascii?Q?GGV81OQNYOMLCqOwjRwMT+ncc/aGXP5Wjh49qbcXuGXbuWjKbUd6LL1RCJTv?= =?us-ascii?Q?KSR3uuoWwlXp5WRMTRESP0o3NwztcpKoC7UsW/efRbSNGtUpflbAnfxY9q+a?= =?us-ascii?Q?Z5oAXSsgY5XIKvPgnE+UtnER8nlGTj6iy+j43xwTBadyS3X7scji+/8M+DDc?= =?us-ascii?Q?kOJb2iA+jF+pHKcF3oHxrIaFBudWbiJatpxFotDn0g+pvucdlCk06PgvEKtK?= =?us-ascii?Q?Dgcp7ODp5/vn085emRl2qUOQZx3fl4lI65YoZauw/3okcjxy9i02s0BKuNLZ?= =?us-ascii?Q?RO5EGr+4eR11hgpMc8DDFFvZ+kpi5ZNx5LxGAOV9nrpGpW/iVp4Ei9bt9LUM?= =?us-ascii?Q?ebIfdTXOGy7pzzmcd8GBtH+BetOenVN0SEg/YWwIuZDAklWXbxZMKx3Zqv66?= =?us-ascii?Q?QzCPaLRLEFlFqzk8lDAW2wNEbILwajSiFtGxCKuiEmSzJn2FiqicT6Hxfi8u?= =?us-ascii?Q?QhjfUX1jNJeU9Ou10t8kNTxgQO4AOgNXytCHvXluu5StQlQ3GGQOabBvClPb?= =?us-ascii?Q?9L2Ho2NPQpP20Uodnx1TxvsGUbocViLuCx90c7dHtFkR4z1EuaCIiihSXKTb?= =?us-ascii?Q?EU6emMzsi+VZNvYKcBAKhXDO/kOQlT9nUkx1C0wjCL4+Reo5+npLMwskh5sF?= =?us-ascii?Q?lfP5ntymxsj5cxNoCfHPlStRZD8uAmbMrDIdYJRSYQidbQ=3D=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?qwM+k4h9y1luCu9qNDEI6iAqwLKBL5+Zayd5orLLL8SV5dcKGqIbxv5x4C3H?= =?us-ascii?Q?CImA1bxmRS2dWhuvV8RmlBq8ItyGka2GcGxyCftkzgJ7vjRqpjT78TtsJr49?= =?us-ascii?Q?RMvmFeQvvZG4ZVzwZILynRknE7M1pfllscdfZpquS8yKxSbAuQLKItqS+L76?= =?us-ascii?Q?vqXy7GOA0+hNfPjz8vDKb4SSuUTRnqwpiTd2TDnHK+6M7jZq5g4R+j9sBtZZ?= =?us-ascii?Q?R6qlAljc2hCwH8/QUpbujb1jn3DIBL7eVi3X1U2w4yePAlQZDskJ9RLYfzQJ?= =?us-ascii?Q?HpAVPoY6b8KfUDLZBCUiUdcpGzp2MiAkCnm4QKoYTbDS+hOdgX8xt4K7YaPg?= =?us-ascii?Q?yXENTEgrmyZ6PdkBCAuvN5CK16E8WYC8VDUo1ESxgeGKGWaNmZKW7jzF2fVW?= =?us-ascii?Q?H7GctFAI3L6WvVghhYw95ytu2xc+ZWiYBuxD7zs0RySTKBU1V1Lt+J/SnWna?= =?us-ascii?Q?s+FH+i8ZmJ43OIMFznRaA/Zz2TfwyM9Gwytipx+cfKQ0lZTiKtlDrhZn1Cnz?= =?us-ascii?Q?ZPEA0N93eGrp46noWXbq26JakpAdjeFuWfcgKG0GaFuPW/uezNf3P/EHsT69?= =?us-ascii?Q?v+7NwDjUSyUJaQc5TjBGG7DLkHth9T7mCsjz92oPWCHJoldq1WfJGyrUUJ9q?= =?us-ascii?Q?sQr0oQXAGYZ+QAufesYMJrFDo7aPz7FyL9vAQ/z/TzuYIikO9HMFnRxRzwyR?= =?us-ascii?Q?M7jN7XnvWOVqioWivfnoTcz7SflTPFVnyH9YILt9agLQ4wWnyq54I85Z9Y/C?= =?us-ascii?Q?Ov7UKG8xCopTo3CCyCbt7CrXsTc6F4CHHSx1hA9mb6nC0S0vi5tXDov3WyH7?= =?us-ascii?Q?w4euMpR7lpKcJgc1rHdH3nPISkosLB55GTVXKPDI9eYntkrcU31bySHTMGcE?= =?us-ascii?Q?tv5vfcNZJyFUIxxFxNCuw+llWitfKnHOpZT9Eofma7m0pwZFM+U9tLbf/+rL?= =?us-ascii?Q?CbuJHDNGlzHh80xSOh/jTq1RSyP6kGe0CQ/DHM/v8petbiSF1T5QCLAUuhp3?= =?us-ascii?Q?dpZ3xzjcvANwpGWvgCe/bEX+geMtLJpZmjsXgJemo3oxvCi+YcGemSLIWnn5?= =?us-ascii?Q?h3SZxdV0QAD0ofzdHY88hjk9Gk3ym9tmiVl9x3SQW2w3dR2xL4ekhQKGtek5?= =?us-ascii?Q?Hz+CUFIPGcQZwGLZNYIEk/JqzTqge5j9xaYfQ0x+7m/WozzL98lpbrocNFfu?= =?us-ascii?Q?bmZxWzhHYazDIfQ8NVltE1jKvrkkE4iCRJq2wjUw3ci5/kAmMXQaHEF3JR7X?= =?us-ascii?Q?BIXrQczPKcNV0vuqg7lrthT4wh3tw+WhzXwJmY1XwUWvJwyjV4irdUMJRMa3?= =?us-ascii?Q?O1rPUNIqFuuKjkf72uxK1iAt3UpmrZpZjijRPHGvP6sjT0X4rH/LtUB6rksB?= =?us-ascii?Q?CkM5YleYhd7bFrU7U7Kt5cbfm6BIY1IskEhm7JNcwhXKsjQ3FCk84tIlqFZd?= =?us-ascii?Q?E9cNRDwJsNADHond884kqgdNvIw83LIxjk2mdhdxzAxKW1iZkH2+/2qhtUlZ?= =?us-ascii?Q?HtrbHZ5Ao7e8Bu4G7kKDLopFhqVxV+WkYe5MQoAh6B8eEhan18XqIjsiFeTp?= =?us-ascii?Q?2wg5AiLwR0SRE85em+Y=3D?= MIME-Version: 1.0 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: LV8PR12MB9452.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f09ff2db-00d2-422c-2d89-08dc7025f752 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2024 12:45:54.4869 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4DoeAcA5ayoTTO8ofs6b9OrHY2ampfyhIjkcmc4tH4YFj5DADbmIbNnOpgYqP7PGX+sGIcWrSsSeu5aZ0pZ5xg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB6558 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Thu, 09 May 2024 05:45:57 -0700 Resent-From: abner.chang@amd.com Reply-To: devel@edk2.groups.io,abner.chang@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 5Abejte47E2OFyMKzDLsMQjNx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=ShkOM1gG; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io [AMD Official Use Only - General] Reviewed-by: Abner Chang > -----Original Message----- > From: Nickle Wang > Sent: Wednesday, May 8, 2024 4:09 PM > To: devel@edk2.groups.io > Cc: Chang, Abner ; Igor Kulchytskyy > ; Nick Ramirez > Subject: [edk2-redfish-client][PATCH] Tool/Redfish-Profile-Simulator: fix > Werkzeug security issue > > Caution: This message originated from an External Source. Use proper caut= ion > when opening attachments, clicking links, or responding. > > > Upgrade Werkzeug to version 3.0.3 to address CVE-2024-34069 > > Signed-off-by: Nickle Wang > Cc: Abner Chang > Cc: Igor Kulchytskyy > Cc: Nick Ramirez > --- > Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py | 7 ++++--- > Tools/Redfish-Profile-Simulator/requirements.txt | 6 ++---- > 2 files changed, 6 insertions(+), 7 deletions(-) > > diff --git a/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py > b/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py > index 91c792a2b..58697328a 100644 > --- a/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py > +++ b/Tools/Redfish-Profile-Simulator/redfishProfileSimulator.py > @@ -1,6 +1,7 @@ > # Copyright Notice: > # > # Copyright (c) 2019, Intel Corporation. All rights reserved.
> +# Copyright (c) 2024, NVIDIA CORPORATION & AFFILIATES. All rights > reserved. > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > # Copyright Notice: > @@ -89,8 +90,8 @@ class > PreconditionRequired(werkzeug.exceptions.HTTPException): > > def main(argv): > #Monkey patch the set_etag() method for conditional request. > - _old_set_etag =3D werkzeug.ETagResponseMixin.set_etag > - @functools.wraps(werkzeug.ETagResponseMixin.set_etag) > + _old_set_etag =3D werkzeug.wrappers.Response.set_etag > + @functools.wraps(werkzeug.wrappers.Response.set_etag) > def _new_set_etag(self, etag, weak=3DFalse): > # only check the first time through; when called twice > # we're modifying > @@ -107,7 +108,7 @@ def main(argv): > raise NotModified > flask.g.condtnl_etags_start =3D False > _old_set_etag(self, etag, weak) > - werkzeug.ETagResponseMixin.set_etag =3D _new_set_etag > + werkzeug.wrappers.Response.set_etag =3D _new_set_etag > > # set default option args > rf_profile_path =3D os.path.abspath("./MockupData/SimpleOcpServerV1"= ) > diff --git a/Tools/Redfish-Profile-Simulator/requirements.txt b/Tools/Red= fish- > Profile-Simulator/requirements.txt > index 359a81446..83d2d8130 100644 > --- a/Tools/Redfish-Profile-Simulator/requirements.txt > +++ b/Tools/Redfish-Profile-Simulator/requirements.txt > @@ -1,5 +1,3 @@ > -Werkzeug=3D=3D0.16 > -Jinja2=3D=3D3.0.3 > -itsdangerous=3D=3D2.0.1 > -flask=3D=3D1.1.1 > +Werkzeug>=3D3.0.3 > +flask=3D=3D3.0.0 > pyOpenSSL > -- > 2.34.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118765): https://edk2.groups.io/g/devel/message/118765 Mute This Topic: https://groups.io/mt/105977266/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-