From 23687bea794a18ff594658e9006457bff7b4a752 Mon Sep 17 00:00:00 2001
From: Owen Jacobson <owen@grimoire.ca>
Date: Wed, 20 May 2020 23:20:18 -0400
Subject: Upgrade vulnerable packages.

* Jinja2: CVE-2019-10906
  In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

* urllib3: CVE-2019-11324
  The urllib3 library before 1.24.2 for Python mishandles certain cases where
  the desired set of CA certificates is different from the OS store of CA
  certificates, which results in SSL connections succeeding in situations where
  a verification failure is the correct outcome. This is related to use of the
  ssl_context, ca_certs, or ca_certs_dir argument.

  * requests: upgraded as it depends on urllib and restricts versions.

* werkzeug: CVE-2019-14806
  Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient
  debugger PIN randomness because Docker containers share the same machine id.

* gunicorn: No CVE, just good hygiene.
---
 requirements.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index b67393b..0519062 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,13 +6,13 @@ coreschema==0.0.4
 gunicorn==19.7.1
 idna==2.6
 itypes==1.1.0
-Jinja2==2.9.6
+Jinja2==2.11.2
 MarkupSafe==1.0
 py==1.4.34
 pytest==3.2.3
 PyYAML==4.2b4
-requests==2.21.0
+requests==2.23.0
 uritemplate==3.0.0
-urllib3==1.24.1
-Werkzeug==0.12.2
+urllib3==1.25.9
+Werkzeug==1.0.1
 whitenoise==3.3.1
-- 
cgit v1.2.3