update Jinja2 to address CVE-2024-2383

Details: https://nvd.nist.gov/vuln/detail/cve-2024-2383 More details found at: https://nvd.nist.gov/vuln/detail/CVE-2024-34064 Change-Id: Id2aafa40594f9cb6518983136ec5c25d4ef1682d Signed-off-by: Chris Krelle <ckrelle@nvidia.com>
2025-07-01 10:47:05 -07:00
parent d4b2ce44fc
commit 5b4bce7c8b
3 changed files with 7 additions and 2 deletions
--- a/ironic/common/pxe_utils.py
+++ b/ironic/common/pxe_utils.py
@@ -1164,7 +1164,7 @@ def validate_kickstart_template(ks_template):
        msg = (_("The kickstart template includes a variable that is not "
                 "a valid kickstart option. Rendering the template returned "
                 " %(msg)s. The valid options are %(valid_options)s.") %
-               {'msg': exc.message,
+               {'msg': exc,
                'valid_options': ','.join(ks_options.keys())})
        raise exception.InvalidKickstartTemplate(msg)

--- a/releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml
+++ b/releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Update jinja2 to 3.1.6 in requirements to address CVE-2023-34064.
+    Single location in code updated to work with new jinja2 version.
--- a/requirements.txt
+++ b/requirements.txt
@@ -30,7 +30,7 @@ pycdlib>=1.11.0 # LGPLv2
 requests>=2.18.0 # Apache-2.0
 rfc3986>=1.2.0 # Apache-2.0
 jsonpatch>=1.16 # BSD
-Jinja2>=3.0.0 # BSD License (3 clause)
+Jinja2>=3.1.6 # BSD License (3 clause)
 keystonemiddleware>=9.5.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 tenacity>=6.3.1  # Apache-2.0