openstack/ironic
Code Issues Proposed changes

update Jinja2 to address CVE-2024-2383

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/cve-2024-2383
More details found at: https://nvd.nist.gov/vuln/detail/CVE-2024-34064

Change-Id: Id2aafa40594f9cb6518983136ec5c25d4ef1682d
Signed-off-by: Chris Krelle <ckrelle@nvidia.com>
This commit is contained in:
Chris Krelle
2025-07-01 10:47:05 -07:00
parent d4b2ce44fc
commit 5b4bce7c8b
3 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ironic/common/pxe_utils.py
View File

@@ -1164,7 +1164,7 @@ def validate_kickstart_template(ks_template):
msg = (_("The kickstart template includes a variable that is not " msg = (_("The kickstart template includes a variable that is not "
"a valid kickstart option. Rendering the template returned " "a valid kickstart option. Rendering the template returned "
" %(msg)s. The valid options are %(valid_options)s.") % " %(msg)s. The valid options are %(valid_options)s.") %
{'msg': exc.message, {'msg': exc,
'valid_options': ','.join(ks_options.keys())}) 'valid_options': ','.join(ks_options.keys())})
raise exception.InvalidKickstartTemplate(msg) raise exception.InvalidKickstartTemplate(msg)

5
releasenotes/notes/address-CVE-2023-34064-f78745eab4f3d466.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
security:
- |
Update jinja2 to 3.1.6 in requirements to address CVE-2023-34064.
Single location in code updated to work with new jinja2 version.

2
requirements.txt
View File

@@ -30,7 +30,7 @@ pycdlib>=1.11.0 # LGPLv2
requests>=2.18.0 # Apache-2.0 requests>=2.18.0 # Apache-2.0
rfc3986>=1.2.0 # Apache-2.0 rfc3986>=1.2.0 # Apache-2.0
jsonpatch>=1.16 # BSD jsonpatch>=1.16 # BSD
Jinja2>=3.0.0 # BSD License (3 clause) Jinja2>=3.1.6 # BSD License (3 clause)
keystonemiddleware>=9.5.0 # Apache-2.0 keystonemiddleware>=9.5.0 # Apache-2.0
oslo.messaging>=14.1.0 # Apache-2.0 oslo.messaging>=14.1.0 # Apache-2.0
tenacity>=6.3.1 # Apache-2.0 tenacity>=6.3.1 # Apache-2.0