From patchwork Wed Sep 18 13:06:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: WangYuli X-Patchwork-Id: 13806885 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BE9DFCCD1A3 for ; Wed, 18 Sep 2024 13:08:36 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 7AB5810E58B; Wed, 18 Sep 2024 13:08:35 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=uniontech.com header.i=@uniontech.com header.b="Z3SW64OM"; dkim-atps=neutral Received: from bg5.exmail.qq.com (bg5.exmail.qq.com [43.154.209.5]) by gabe.freedesktop.org (Postfix) with ESMTPS id C564310E58B for ; Wed, 18 Sep 2024 13:08:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1726664862; bh=/TNrOWNbUPEthzfhqHJKmziu43+uHykeH5RpYdRgBZo=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=Z3SW64OMOBtGfqzLUy6I5lTreJeqQ0EsebeegI39D5OuC7FgVtgcM6gfLPynlcbiC Y0CrGsEuIWojJ5hNCwK3udoHUv2jSBn2NNXoqzK3TAtvnLjxfGIrLC9PxNRRG6eLbT btq08wtlqulH7pDoFxZfKX+LBgvQlIq8i+rlyx74= X-QQ-mid: bizesmtp89t1726664856tpxoq0ub X-QQ-Originating-IP: TcS6ew3UVzNulMyjCAog1ndwGNkkrzCS8uXs46wt2io= Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 18 Sep 2024 21:07:35 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 13190950233677462238 From: WangYuli To: helen.koike@collabora.com, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, wangyuli@uniontech.com, david.heidelberg@collabora.com Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, guanwentao@uniontech.com, zhanjun@uniontech.com Subject: [PATCH 1/4] drm/ci: Upgrade urllib3 requirement to 2.2.2 Date: Wed, 18 Sep 2024 21:06:40 +0800 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240918130725.448656-1-wangyuli@uniontech.com> References: <20240918130725.448656-1-wangyuli@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-1 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" GitHub Dependabot has issued the following alert: "build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /drivers/gpu/drm/ci/xfails. When using urllib3's proxy support with, the header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. Severity: 4.4 / 10 (Moderate) Attack vector: Network Attack complexity: High Privileges required: High User interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None CVE ID: CVE-2024-37891" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Signed-off-by: WangYuli --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index 5e6d48d98e4e..2fae1299e07b 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -13,5 +13,5 @@ ruamel.yaml==0.17.32 ruamel.yaml.clib==0.2.7 setuptools==70.0.0 tenacity==8.2.3 -urllib3==2.0.7 +urllib3==2.2.2 wheel==0.41.1 From patchwork Wed Sep 18 13:06:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: WangYuli X-Patchwork-Id: 13806886 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6B067CCD1A5 for ; Wed, 18 Sep 2024 13:08:38 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 0D2CC10E595; Wed, 18 Sep 2024 13:08:36 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=uniontech.com header.i=@uniontech.com header.b="dt4o1wiU"; dkim-atps=neutral Received: from bg5.exmail.qq.com (bg5.exmail.qq.com [43.154.155.102]) by gabe.freedesktop.org (Postfix) with ESMTPS id BC7F010E589 for ; Wed, 18 Sep 2024 13:08:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1726664867; bh=+/DdLbFCN3x83oxAHHqnPnAEM1hgWNumW7T/6E5yt74=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=dt4o1wiUhZ3tWMnpE72tXyCgQjdO3z+Yl4QkqXCPMDEtbk9olTy1zbCbe3teOkefV LreOeOEwqCTHyDS/yZvDqr2tQA3PE/Jc/Y2UQi2+48NOd/xEYV2cv+f3qJJf2TAi7d u8vNliUuDq+vk9S7ViH1nacWgtger01oREJi7b7Q= X-QQ-mid: bizesmtp89t1726664860t19rzamf X-QQ-Originating-IP: 2zu9pDuYwD3Ysa5lHmxqXSm3b9oArIDcCu9nUlMvo/o= Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 18 Sep 2024 21:07:39 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 14238727235013610136 From: WangYuli To: helen.koike@collabora.com, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, wangyuli@uniontech.com, david.heidelberg@collabora.com Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, guanwentao@uniontech.com, zhanjun@uniontech.com Subject: [PATCH 2/4] drm/ci: Upgrade requests requirement to 2.32.0 Date: Wed, 18 Sep 2024 21:06:41 +0800 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240918130725.448656-1-wangyuli@uniontech.com> References: <20240918130725.448656-1-wangyuli@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-1 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" GitHub Dependabot has issued the following alert: "build(deps): bump requests from 2.31.0 to 2.32.2 in /drivers/gpu/drm/ci/xfails. When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. Severity: 5.6 / 10 (Moderate) Attack vector: Local Attack complexity: High Privileges required: High User interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None CVE ID: CVE-2024-35195" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Link: https://github.com/psf/requests/pull/6655 Signed-off-by: WangYuli --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index 2fae1299e07b..f69b58356a37 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -7,7 +7,7 @@ charset-normalizer==3.2.0 idna==3.4 pip==23.3 python-gitlab==3.15.0 -requests==2.31.0 +requests==2.32.0 requests-toolbelt==1.0.0 ruamel.yaml==0.17.32 ruamel.yaml.clib==0.2.7 From patchwork Wed Sep 18 13:06:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: WangYuli X-Patchwork-Id: 13806888 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 053B0CCD1A0 for ; Wed, 18 Sep 2024 13:08:57 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 5D61310E23F; Wed, 18 Sep 2024 13:08:56 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=uniontech.com header.i=@uniontech.com header.b="SHSCL48I"; dkim-atps=neutral Received: from bg5.exmail.qq.com (bg5.exmail.qq.com [43.154.209.5]) by gabe.freedesktop.org (Postfix) with ESMTPS id BF88A10E23F for ; Wed, 18 Sep 2024 13:08:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1726664871; bh=78SgngBKZBmCahApQZmS491yViuhV7ff/MsyOqzu+jA=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=SHSCL48I4fry0KXYLwQ6IBGUMO4NOYcvtMj6nuhsaxANm7vWlD13HyUIOXILaiNSE 0to+8+BDaTeCkQ6BZv/7sKFIQJBM+RH134Xhg6eF/518eY+Whw/36p5BqWsc0raeLK ExJ4Jg90+QjGrgxT1ApYD6XkZHIDpTsj7U33d4YE= X-QQ-mid: bizesmtp89t1726664864tqxrduuz X-QQ-Originating-IP: iStDSal+XfZLIbLXnFqWfb3b+vIvkE4Fj6sizXbwNow= Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 18 Sep 2024 21:07:43 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 880936769017630702 From: WangYuli To: helen.koike@collabora.com, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, wangyuli@uniontech.com, david.heidelberg@collabora.com Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, guanwentao@uniontech.com, zhanjun@uniontech.com Subject: [PATCH 3/4] drm/ci: Upgrade idna requirement to 3.7 Date: Wed, 18 Sep 2024 21:06:42 +0800 Message-ID: <72EEE7B8B5E98035+20240918130725.448656-4-wangyuli@uniontech.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240918130725.448656-1-wangyuli@uniontech.com> References: <20240918130725.448656-1-wangyuli@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-1 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" GitHub Dependabot has issued the following alert: "build(deps): bump idna from 3.4 to 3.7 in /drivers/gpu/drm/ci/xfails. A specially crafted argument to the function could consume significant resources. This may lead to a denial-of-service. The function has been refined to reject such strings without the associated resource consumption in version 3.7. Severity: 6.9 / 10 (Moderate) Attack vector: Local Attack complexity: Low Attack Requirements: None Privileges required: None User interaction: None Confidentiality: None Integrity: None Availability: High CVE ID: CVE-2024-3651" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Link: https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb Signed-off-by: WangYuli --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index f69b58356a37..8b2b1fa16614 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -4,7 +4,7 @@ termcolor==2.3.0 # ci-collate dependencies certifi==2023.7.22 charset-normalizer==3.2.0 -idna==3.4 +idna==3.7 pip==23.3 python-gitlab==3.15.0 requests==2.32.0 From patchwork Wed Sep 18 13:06:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: WangYuli X-Patchwork-Id: 13806884 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A6A92CCD1A3 for ; Wed, 18 Sep 2024 13:08:33 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 238C710E08E; Wed, 18 Sep 2024 13:08:33 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=uniontech.com header.i=@uniontech.com header.b="FzBdbOii"; dkim-atps=neutral Received: from smtpbgbr2.qq.com (smtpbgbr2.qq.com [54.207.22.56]) by gabe.freedesktop.org (Postfix) with ESMTPS id C120910E08E for ; Wed, 18 Sep 2024 13:08:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1726664874; bh=RC2PbTe+FDm7zLc+8APOYm4+AzjmOpO3efPzB4XXvWM=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=FzBdbOiilkJwj0ApJOLj95MVze6c/rgUs3RyXYHpBsKE79oFMU0d1adYkLSrQQYfv abDrsXeyn1cs52N2zpOfNLvJg1wQIXQgmhJ6GvevdzsQtvvBkVnMUdsv+25+1aT3hB rZMdXtQ8v72xs2FqrIfaaQPidpdaovPVY5SbkMbo= X-QQ-mid: bizesmtp89t1726664868tv5pwabb X-QQ-Originating-IP: 9lq6EIop9cgRFN5fQlSY/DQxz5cESd8ppts3gi20zuk= Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 18 Sep 2024 21:07:47 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 5552265885235446597 From: WangYuli To: helen.koike@collabora.com, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, wangyuli@uniontech.com, david.heidelberg@collabora.com Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, guanwentao@uniontech.com, zhanjun@uniontech.com Subject: [PATCH 4/4] drm/ci: Upgrade certifi requirement to 2024.07.04 Date: Wed, 18 Sep 2024 21:06:43 +0800 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240918130725.448656-1-wangyuli@uniontech.com> References: <20240918130725.448656-1-wangyuli@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-1 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" GitHub Dependabot has issued the following alert: "build(deps): bump certifi from 2023.7.22 to 2024.7.4 in /drivers/gpu/drm/ci/xfails. Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Severity: Low CVE ID: CVE-2024-39689" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Link: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI Signed-off-by: WangYuli --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index 8b2b1fa16614..4f7ac688d448 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -2,7 +2,7 @@ git+https://gitlab.freedesktop.org/gfx-ci/ci-collate@09e7142715c16f54344ddf97013 termcolor==2.3.0 # ci-collate dependencies -certifi==2023.7.22 +certifi==2024.07.04 charset-normalizer==3.2.0 idna==3.7 pip==23.3