From 5b4bce7c8b2ffb0ad8da44ba438e60fb3ca3e598 Mon Sep 17 00:00:00 2001
From: Chris Krelle <ckrelle@nvidia.com>
Date: Tue, 1 Jul 2025 10:47:05 -0700
Subject: [PATCH] update Jinja2 to address CVE-2024-2383

Details: https://nvd.nist.gov/vuln/detail/cve-2024-2383
More details found at: https://nvd.nist.gov/vuln/detail/CVE-2024-34064

Change-Id: Id2aafa40594f9cb6518983136ec5c25d4ef1682d
Signed-off-by: Chris Krelle <ckrelle@nvidia.com>
---
 ironic/common/pxe_utils.py                                   | 2 +-
 .../notes/address-CVE-2023-34064-f78745eab4f3d466.yaml       | 5 +++++
 requirements.txt                                             | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml

diff --git a/ironic/common/pxe_utils.py b/ironic/common/pxe_utils.py
index b6c3a11d1b..b8ddf66fc6 100644
--- a/ironic/common/pxe_utils.py
+++ b/ironic/common/pxe_utils.py
@@ -1164,7 +1164,7 @@ def validate_kickstart_template(ks_template):
         msg = (_("The kickstart template includes a variable that is not "
                  "a valid kickstart option. Rendering the template returned "
                  " %(msg)s. The valid options are %(valid_options)s.") %
-               {'msg': exc.message,
+               {'msg': exc,
                 'valid_options': ','.join(ks_options.keys())})
         raise exception.InvalidKickstartTemplate(msg)
 
diff --git a/releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml b/releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml
new file mode 100644
index 0000000000..e9645e1e5f
--- /dev/null
+++ b/releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Update jinja2 to 3.1.6 in requirements to address CVE-2023-34064.
+    Single location in code updated to work with new jinja2 version.
diff --git a/requirements.txt b/requirements.txt
index c1a6b7ca08..d18249b4e7 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -30,7 +30,7 @@ pycdlib>=1.11.0 # LGPLv2
 requests>=2.18.0 # Apache-2.0
 rfc3986>=1.2.0 # Apache-2.0
 jsonpatch>=1.16 # BSD
-Jinja2>=3.0.0 # BSD License (3 clause)
+Jinja2>=3.1.6 # BSD License (3 clause)
 keystonemiddleware>=9.5.0 # Apache-2.0
 oslo.messaging>=14.1.0 # Apache-2.0
 tenacity>=6.3.1  # Apache-2.0