From 4d729f946da58e45c656dac2fbde0e73a85e0d18 Mon Sep 17 00:00:00 2001
From: Eugen C <1533818+armab@users.noreply.github.com>
Date: Thu, 9 Nov 2023 18:12:32 +0000
Subject: [PATCH 1/2] Update gitpython

---
 fixed-requirements.txt      | 2 +-
 requirements.txt            | 2 +-
 st2actions/requirements.txt | 2 +-
 st2common/requirements.txt  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/fixed-requirements.txt b/fixed-requirements.txt
index 00ed7297b9..8a3a03aa86 100644
--- a/fixed-requirements.txt
+++ b/fixed-requirements.txt
@@ -12,7 +12,7 @@ cryptography==39.0.1
 # depend on rely
 eventlet==0.33.3
 flex==6.14.1
-gitpython==3.1.15
+gitpython<=3.1.37
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2
 # Note: greenlet is used by eventlet
diff --git a/requirements.txt b/requirements.txt
index 841cf38cb3..b4d4fafd6e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -20,7 +20,7 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
-gitpython==3.1.15
+gitpython<=3.1.37
 greenlet==1.0.0
 gunicorn==21.2.0
 importlib-metadata==3.10.1
diff --git a/st2actions/requirements.txt b/st2actions/requirements.txt
index e15c7c967e..bdfe4e8b1c 100644
--- a/st2actions/requirements.txt
+++ b/st2actions/requirements.txt
@@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23
 apscheduler==3.7.0
 chardet<3.1.0
 eventlet==0.33.3
-gitpython==3.1.15
+gitpython<=3.1.37
 jinja2==2.11.3
 kombu==5.0.2
 lockfile==0.12.2
diff --git a/st2common/requirements.txt b/st2common/requirements.txt
index bd1a1827af..1d4b86fc82 100644
--- a/st2common/requirements.txt
+++ b/st2common/requirements.txt
@@ -17,7 +17,7 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.33.3
 flex==6.14.1
 gitdb==4.0.2
-gitpython==3.1.15
+gitpython<=3.1.37
 greenlet==1.0.0
 jinja2==2.11.3
 jsonpath-rw==1.4.0

From 8d4d16af39c8a804dc50d2e9ac946ef736d9ab4b Mon Sep 17 00:00:00 2001
From: Eugen C <1533818+armab@users.noreply.github.com>
Date: Thu, 9 Nov 2023 18:53:09 +0000
Subject: [PATCH 2/2] Add a Changelog for #6063

---
 CHANGELOG.rst          | 2 ++
 fixed-requirements.txt | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 7a08f8743f..0b579cce68 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -30,6 +30,8 @@ Fixed
 * Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061
   Contributed by @jk464
 
+* Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063
+
 Added
 ~~~~~
 
diff --git a/fixed-requirements.txt b/fixed-requirements.txt
index 8a3a03aa86..6d9835bb59 100644
--- a/fixed-requirements.txt
+++ b/fixed-requirements.txt
@@ -12,6 +12,8 @@ cryptography==39.0.1
 # depend on rely
 eventlet==0.33.3
 flex==6.14.1
+# Note: installs gitpython==3.1.37 (security fixed) under py3.8 and gitpython==3.1.18 (latest available, vulnerable) under py3.6
+# TODO: Pin to 3.1.37 or higher after dropping python3.6 support
 gitpython<=3.1.37
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2