Bump the pip group with 15 updates

[dependabot]

Updates the requirements on snowflake-connector-python, flask, jinja2, httplib2, pyyaml, requests, sqlparse, gunicorn, restrictedpython, pysaml2, sentry-sdk, pyjwt, cryptography, gevent and werkzeug to permit the latest version.
Updates snowflake-connector-python from 2.1.3 to 3.0.2

Release notes

Sourced from snowflake-connector-python's releases.

Release

New Features

• Improved logging to mask tokens in case of errors.
• Validate SSO URL before opening it in the browser for External browser authenticator.

Bug Fixes

• Fixed a memory leak in the logging module of the Cython extension.
• Fixed a bug where the put command on AWS raised AttributeError when uploading file composed of multiple parts.
• Fixed a bug of incorrect type hints of SnowflakeCursor.fetch_arrow_all and SnowflakeCursor.fetchall.
• Fixed a bug where snowflake.connector.util_text.split_statements swallows the final line break in the case when there are no space between lines.

Please check our community page for release notes.

Release

New Features

• Improved the robustness of OCSP response caching to handle errors in cases of serialization and deserialization.
• Replaced the dependency on setuptools in favor of packaging.
• Updated async_executes method's doc-string.
• Errors raised now have a query field that contains the SQL query that caused them when available.

Bug Fixes

• Fixed a bug where AuthByKeyPair.handle_timeout should pass keyword arguments instead of positional arguments when calling AuthByKeyPair.prepare.
• Fixed a bug where MFA token caching would refuse to work until restarted instead of reauthenticating. Please check our community page for release notes.

Release

Behavior Changes

• Fixed a bug where write_pandas did not use user-specified schemas and databases to create intermediate objects

New Features and Updates

• Bumped pyarrow dependency from >=8.0.0,=10.0.1,<10.1.0
• Bumped pyOpenSSL dependency from <23.0.0 to <24.0.0
• During browser-based authentication, the SSO url is now printed before opening it in the browser
• Increased the level of a log for when ArrowResult cannot be imported
• Added a minimum MacOS version check when compiling C-extensions

Bug Fixes

• Fixed a bug where the HTTP 429 response code was not retried
• Fixed a bug where MFA token caching was not working

Please check our community page for release notes.

... (truncated)

Commits

• eda6206 SNOW-764946: 3.0.2 release notes (#1483)
• 1cdbd3b SNOW-761004 Added URL Validator and URL escaping of strings (#1480)
• 4b1d474 SNOW-749141: Fix uploading a file > 200M when the same filename already exist...
• 0894b78 SNOW-761991 Update license header to 2023 (#1481)
• 9008e2c SNOW-761669: fix memory leak in c logging (#1479)
• 1b437d5 SNOW-756525 Add changelog check in CI (#1476)
• 277d744 SNOW-733718 Fix remove_comments when comments are at end of line (#1474)
• f0a38d9 SNOW-756460 Remove description in stale_issue_bot.yml (#1469)
• ed4dbdd SNOW-756460 Add close stale issue action (#1468)
• 372286a SNOW-754180 Update feature requests to include a needs triage label (#1467)
• Additional commits viewable in compare view

Updates flask from 1.1.1 to 2.2.5

Release notes

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

• Security advisory: GHSA-m2qf-hxjv-5gpq, CVE-2023-30861
• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5
• Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4
• Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3
• Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2
• Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1
• Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0
• Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3
• Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2

This is a fix release for the 2.1.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2
• Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Changelog

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

• Update for compatibility with Werkzeug 2.3.3.
• Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

• Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

• Autoescape is enabled by default for .svg template files. :issue:4831
• Fix the type of template_folder to accept pathlib.Path. :issue:4892
• Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

• Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754
• Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

• Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

Commits

• 47af817 release version 2.2.5
• afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
• 8646edc set Vary: Cookie header consistently for session
• a6367da Merge pull request #5108 from pallets/werkzeug-compat
• 3fbfbad werkzeug 2.3.3 compatibility
• 726d3f4 start version 2.2.5
• ddc7acc Merge pull request #5081 from pallets/release-2.2.4
• 74e0329 release version 2.2.4
• 2d46068 update dev env
• 64bc458 update dev dependencies
• Additional commits viewable in compare view

Updates jinja2 from 2.10.3 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

3.1.2

This is a fix release for the 3.1.0 feature release.

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-2
• Milestone: https://github.com/pallets/jinja/milestone/13?closed=1

3.1.1

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-1
• Milestone: https://github.com/pallets/jinja/milestone/12?closed=1

3.1.0

This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-0
• Milestone: https://github.com/pallets/jinja/milestone/8?closed=1
• MarkupSafe changes: https://markupsafe.palletsprojects.com/en/2.1.x/changes/#version-2-1-1

3.0.3

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-3

3.0.2

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-2

3.0.1

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1

3.0.0

New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! 🎉

• Read the announcement on our blog: https://palletsprojects.com/blog/flask-2-0-released/
• Read the full list of changes: https://jinja.palletsprojects.com/changes/#version-3-0-0
• Retweet the announcement on Twitter: https://twitter.com/PalletsTeam/status/1392266507296514048
• Follow our blog, Twitter, or GitHub to see future announcements.

This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

• Add parameters to Environment.overlay to match __init__. :issue:1645
• Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

• The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

• Drop support for Python 3.6. :pr:1534
• Remove previously deprecated code. :pr:1544

... (truncated)

Commits

• dd4a8b5 release version 3.1.4
• 0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
• d655030 disallow invalid characters in keys to xmlattr filter
• a7863ba add ghsa links
• b5c98e7 start version 3.1.4
• da3a9f0 update project files (#1968)
• 0ee5eb4 satisfy formatter, linter, and strict mypy
• 20477c6 update project files (#5457)
• e491223 update pyyaml dev dependency
• 36f9885 fix pr link
• Additional commits viewable in compare view

Updates httplib2 from 0.14.0 to 0.19.0

Changelog

Sourced from httplib2's changelog.

0.19.0

auth: parse headers using pyparsing instead of regexp httplib2/httplib2#182

auth: WSSE token needs to be string not bytes httplib2/httplib2#179

0.18.1

explicit build-backend workaround for pip build isolation bug "AttributeError: 'module' object has no attribute 'legacy'" on pip install httplib2/httplib2#169

0.18.0

IMPORTANT security vulnerability CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. Special thanks to Recar https://github.com/Ciyfly for discrete notification. https://cwe.mitre.org/data/definitions/93.html

0.17.4

Ship test suite in source dist httplib2/httplib2#168

0.17.3

IronPython2.7: relative import iri2uri fixes ImportError httplib2/httplib2#163

0.17.2

python3 + debug + IPv6 disabled: https raised "IndexError: Replacement index 1 out of range for positional args tuple" httplib2/httplib2#161

0.17.1

python3: no_proxy was not checked with https httplib2/httplib2#160

0.17.0

feature: Http().redirect_codes set, works after follow(_all)_redirects check This allows one line workaround for old gcloud library that uses 308 response without redirect semantics. httplib2/httplib2#156

0.16.0

... (truncated)

Commits

• 81e80d0 v0.19.0 release
• c3aed1e fix release script, interactive part
• bd9ee25 parse auth headers using pyparsing instead of regexp
• 33090ab initial fuzz testing integration with OSS-Fuzz
• 595e248 auth: WSSE token needs to be string not bytes
• 9bf300c v0.18.1 release
• cb2940a explicit build-backend workaround pip build isolation bug 6264
• 94f48ef check-manifest build tool
• 828c26d Security Policy
• 8373177 v0.18.0 release
• Additional commits viewable in compare view

Updates pyyaml from 5.1.2 to 5.4

Changelog

Sourced from pyyaml's changelog.

5.4 (2021-01-19)

• yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
• yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
• yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup
• yaml/pyyaml#392 -- Fix py2 copy support for timezone objects
• yaml/pyyaml#378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

• yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

• yaml/pyyaml#290 -- Use is instead of equality for comparing with None
• yaml/pyyaml#270 -- Fix typos and stylistic nit
• yaml/pyyaml#309 -- Fix up small typo
• yaml/pyyaml#161 -- Fix handling of slots
• yaml/pyyaml#358 -- Allow calling add_multi_constructor with None
• yaml/pyyaml#285 -- Add use of safe_load() function in README
• yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF
• yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff
• yaml/pyyaml#359 -- Use full_load in yaml-highlight example
• yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython
• yaml/pyyaml#329 -- Fix for Python 3.10
• yaml/pyyaml#310 -- Increase size of index, line, and column fields
• yaml/pyyaml#260 -- Remove some unused imports
• yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such
• yaml/pyyaml#363 -- Add tests for timezone

5.2 (2019-12-02)

• Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
• Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
• Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters
• Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1

Commits

• 58d0cb7 5.4 release
• a60f7a1 Fix compatibility with Jython
• ee98abd Run CI on PR base branch changes
• ddf2033 constructor.timezone: _copy & deepcopy
• fc914d5 Avoid repeatedly appending to yaml_implicit_resolvers
• a001f27 Fix for CVE-2020-14343
• fe15062 Add 3.9 to appveyor file for completeness sake
• 1e1c7fb Add a newline character to end of pyproject.toml
• 0b6b7d6 Start sentences and phrases for capital letters
• c976915 Shell code improvements
• Additional commits viewable in compare view

Updates requests from 2.21.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Updates sqlparse from 0.3.0 to 0.5.0

Changelog

Sourced from sqlparse's changelog.

Release 0.5.0 (Apr 13, 2024)

Notable Changes

• Drop support for Python 3.5, 3.6, and 3.7.
• Python 3.12 is now supported (pr725, by hugovk).
• IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion error for deeply nested statements. Instead of recursion error a generic SQLParseError is raised. See the security advisory for details: GHSA-2m57-hf25-phgg The vulnerability was discovered by @​uriyay-jfrog. Thanks for reporting!

Enhancements

• Splitting statements now allows to remove the semicolon at the end. Some database backends love statements without semicolon (issue742).
• Support TypedLiterals in get_parameters (pr749, by Khrol).
• Improve splitting of Transact SQL when using GO keyword (issue762).
• Support for some JSON operators (issue682).
• Improve formatting of statements containing JSON operators (issue542).
• Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).
• Support parsing of OVER clause (issue701, pr768 by r33s3n6).

Bug Fixes

• Ignore dunder attributes when creating Tokens (issue672).
• Allow operators to precede dollar-quoted strings (issue763).
• Fix parsing of nested order clauses (issue745, pr746 by john-bodley).
• Thread-safe initialization of Lexer class (issue730).
• Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719 by josuc1, thanks for bringing this up!).
• Fix parsing of PRIMARY KEY (issue740).

Other

• Optimize performance of matching function (pr799, by admachainz).

Release 0.4.4 (Apr 18, 2023)

Notable Changes

• IMPORTANT: This release fixes a security vulnerability in the parser where a regular expression vulnerable to ReDOS (Regular Expression Denial of Service) was used. See the security advisory for details: GHSA-rrm6-wvj7-cwh2 The vulnerability was discovered by @​erik-krogh from GitHub Security Lab (GHSL). Thanks for reporting!

... (truncated)

Commits

• ddbd0ec Bump version.
• 29f2e0a Raise recursion limit for tests.
• b4a39d9 Raise SQLParseError instead of RecursionError.
• f1bcf2f Update AUHTORS and Changelog.
• e03b74e Fix Function.get_parameters(), add Funtion.get_window()
• 617b8f6 Add OVER clause, and group it into Function (fixes #701)
• d8f8147 Update AUHTORS and Changelog.
• 012c9f1 Optimize sqlparse.utils.imt().
• 46971e5 Fix parsing of PRIMARY KEY (fixes #740).
• fc4b0be Code cleanup.
• Additional commits viewable in compare view

Updates gunicorn from 19.9.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates restrictedpython from 5.0 to 7.3

Changelog

Sourced from restrictedpython's changelog.

7.3 (2024-09-30)

• Increase the safety level of safer_getattr allowing applications to use it as getattr implementation. Such use should now follow the same policy and give the same level of protection as direct attribute access in an environment based on RestrictedPython's safe_builtints.
• Prevent information leakage via AttributeError.obj and the string module.

7.2 (2024-08-02)

• Remove unneeded setuptools fossils that may cause installation problems with recent setuptools versions.
• Add support for single mode statements / execution.
• Fix a potential breakout capability in the provided safer_getattr method that is part of the safer_builtins.

7.1 (2024-03-14)

• Add support for the matmul (@) operator.

7.0 (2023-11-17)

Backwards incompatible changes ++++++++++++++++++++++++++++++

• Drop support for Python 3.6.

Features ++++++++

• Officially support Python 3.12.

Fixes +++++

• Prevent DeprecationWarnings from ast.Str and ast.Num on Python 3.12

• Forbid using some attributes providing access to restricted Python internals. (CVE-2023-37271)

• Fix information disclosure problems through Python's "format" functionality (format and format_map methods on str and its instances,

... (truncated)

Commits

• dc6c38f Preparing release 7.3
• 1087c68 Prepare release.
• d701cc3 Merge commit from fork
• 57a2acb additional check for safer_getattr (#285)
• d0e97cd Allow to use the package with Python 3.13.
• c5d5b74 Back to development: 7.3
• a5ab235 Preparing release 7.2
• b1ef5ba Prepare a release which does not yet support Python 3.13.
• 4eaa5fa safer_getattr (#282)
• d191a99 Remove setuptools fossils. (#281)
• Additional commits viewable in compare view

Updates pysaml2 from 4.8.0 to 6.5.0

Release notes

Sourced from pysaml2's releases.

Version 6.5.0

6.5.0 (2021-01-20) - Security release

• Fix processing of invalid SAML XML documents - CVE-2021-21238
• Fix unspecified xmlsec1 key-type preference - CVE-2021-21239
• Add more tests regarding XSW attacks
• Add XML Schemas for SAML2 and common extensions
• Fix the XML parser to not break on ePTID AttributeValues
• Fix the initialization value of the return_addrs property of the StatusResponse object
• Fix SWAMID entity-category policy regarding eduPersonTargetedID
• data: use importlib to load package data (backwards compatibility through the importlib_resources package)
• docs: improve the documentation for the signing_algorithm and digest_algorithm options
• examples: fix the logging configuration of the example-IdP
• tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
• tests: improvements on the generation of response and assertion objects
• tests: expand tests on python-3.9 and python-3.10-dev

Version 6.4.1

6.4.1 (2020-12-08)

• Indicate minimum required python version during installation

Version 6.4.0

6.4.0 (2020-12-08)

• Add preferred signing and digest algorithms configuration options: Use the new configuration options signing_algorithm and digest_algorithm.
• Fix signed SAML AuthnRequest and Response when HTTP-Redirect binding is used: Previously, the query params Signature and SigAlg were not included.
• Ignore duplicate RequestedAttribute entries when filtering attributes
• tests: Avoid reuse of old test data files

Version 6.3.1

6.3.1 (2020-11-11)

• Fix extraction of RegistrationInfo when no information is available
• Fix http_info struct to include status-code

Version 6.3.0

6.3.0 (2020-10-30)

• Allow to specify policy configurations based on the registration authority.
• Add new configuration option logout_responses_signed to sign logout responses.
• When available and appropriate return the ResponseLocation along with the Location attribute.
• Always use base64.encodebytes; base64.encodestring has been dropped.
• Examples: fix IdP example that was outputing debug statements on stdout that became

... (truncated)

Changelog

Sourced from pysaml2's changelog.

6.5.0 (2021-01-20) - Security release

• Fix processing of invalid SAML XML documents - [CVE-2021-21238]
• Fix unspecified xmlsec1 key-type preference - [CVE-2021-21239]
• Add more tests regarding XSW attacks
• Add XML Schemas for SAML2 and common extensions
• Fix the XML parser to not break on ePTID AttributeValues
• Fix the initialization value of the return_addrs property of the StatusResponse object
• Fix SWAMID entity-category policy regarding eduPersonTargetedID
• data: use importlib to load package data (backwards compatibility through the importlib_resources package)
• docs: improve the documentation for the signing_algorithm and digest_algorithm options
• examples: fix the logging configuration of the example-IdP
• tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
• tests: improvements on the generation of response and assertion objects
• tests: expand tests on python-3.9 and python-3.10-dev

6.4.1 (2020-12-08)

• Indicate minimum required python version during installation

6.4.0 (2020-12-08)

• Add preferred signing and digest algorithms configuration options: Use the new configuration options signing_algorithm and digest_algorithm.
• Fix signed SAML AuthnRequest and Response when HTTP-Redirect binding is used: Previously, the query params Signature and SigAlg were not included.
• Ignore duplicate RequestedAttribute entries when filtering attributes
• tests: Avoid reuse of old test data files

6.3.1 (2020-11-11)

• Fix extraction of RegistrationInfo when no information is available
• Fix http_info struct to include status-code

6.3.0 (2020-10-30)

• Allow to specify policy configurations based on the registration authority.
• Add new configuration option logout_responses_signed to sign logout responses.
• When available and appropriate return the ResponseLocation along with the Location attribute.
• Always use base64.encodebytes; base64.encodestring has been dropped.
• Examples: fix IdP example that was outputing debug statements on stdout that became part of its metadata.
• CI/CD: Use Ubuntu bionic as the host to run the CI/CD process.
• CI/CD: Pre-releases are now available on [test.pypi.org][pypi.test.pysaml2]. Each commit/merge on the master branch autotically creates a new pre-release. To install a

... (truncated)

Commits

• 12ec4a7 Release version 6.5.0
• 1d8fd26 Merge pull request from GHSA-f4g9-h89h-jgv9
• 46578df Merge pull request from GHSA-5p3x-r448-pc62
• 751dbf5 Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to only x509 ...
• 3b70772 Fix CVE-2021-21238 - SAML XML Signature wrapping
• b76ea40 Add xsd schemas
• cd6030d Fix the parser to not break on ePTID AttributeValues
• 8dcb31b Strengthen XSW tests
• aaf6c54 Set the dates in test XML documents to be earlier than 2036 to allow 32bit sy...
• 17f4daf Load the encryption template using package resources
• Additional commits viewable in compare view

Updates sentry-sdk to 2.14.0

Release notes

Sourced from sentry-sdk's releases.

2.14.0

Various fixes & improvements

• New SysExitIntegration (#3401) by @​szokeasaurusrex

  For more information, see the documentation for the SysExitIntegration.

• Add SENTRY_SPOTLIGHT env variable support (#3443) by @​BYK

• Support Strawberry 0.239.2 (#3491) by @​szokeasaurusrex

• Add separate pii_denylist to EventScrubber and run it always (#3463) by