[AAP-47384] CVE 2025 47273 (#7054)

* Update requirements for setuptools * first pass and need to commit * update makefile and run updater script * updated makefile per readme * ran updater script * Patch irc backend to avoid namespace collision w/ jaraco When importing the IRC backend, jaraco resolves to the version vendored inside setuptools: 1) importing irc backend… irc_backend ERROR: ModuleNotFoundError("No module named 'jaraco.stream'") 2) sys.modules['jaraco'] after failure: present: True type: <class 'module'> __file__: /var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py __path__: ['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco'] __spec__: ModuleSpec(name='jaraco', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7f006a0eccd0>, origin='/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py', submodule_search_locations=['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco']) Since setuptools does not vendor jaraco.stream, it blew up. This patch ensures jaraco.stream gets imported *before* attempting to import the irc modules. * Revert "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027) This reverts commit e8b2920aec95de2c51308ce2fb14773ef676d01a. * reformatted irc backend with black * ran black to fix linting issues * Reapply "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027) This reverts commit 0c6df9b13398a93569fae7558e1a0e72cbe8fb6c. * add flake8 ignore since jaraco.stream is needed * jaraco.stream is not directly called in the file but is needed by irc so ignore the linter failure --------- Co-authored-by: Shane McDonald <me@shanemcd.com>
2026-01-09 23:12:08 -03:30 · 2025-08-19 11:59:24 -04:00 · 2025-08-19 11:59:24 -04:00 · 8fe4223eac
commit 8fe4223eac
parent e8c4b302ad
4 changed files with 28 additions and 11 deletions
--- a/2
+++ b/2
@ -77,7 +77,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
 SRC_ONLY_PKGS ?= cffi,pycparser,psycopg,twilio
 # These should be upgraded in the AWX and Ansible venv before attempting
 # to install the actual requirements
-VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==69.0.2 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37
+VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==78.1.1 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37

 NAME ?= awx

--- a/awx/main/notifications/irc_backend.py
+++ b/awx/main/notifications/irc_backend.py
@ -5,8 +5,6 @@ import time
 import ssl
 import logging

-import irc.client
-
 from django.utils.encoding import smart_str
 from django.utils.translation import gettext_lazy as _

@ -16,6 +14,19 @@ from awx.main.notifications.custom_notification_base import CustomNotificationBa
 logger = logging.getLogger('awx.main.notifications.irc_backend')


+def _irc():
+    """
+    Prime the real jaraco namespace before importing irc.* so that
+    setuptools' vendored 'setuptools._vendor.jaraco' doesn't shadow
+    external 'jaraco.*' packages (e.g., jaraco.stream).
+    """
+    import jaraco.stream  # ensure the namespace package is established  # noqa: F401
+    import irc.client as irc_client
+    import irc.connection as irc_connection
+
+    return irc_client, irc_connection
+
+
 class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
    init_parameters = {
        "server": {"label": "IRC Server Address", "type": "string"},
@ -40,12 +51,15 @@ class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
    def open(self):
        if self.connection is not None:
            return False
+
+        irc_client, irc_connection = _irc()
+
        if self.use_ssl:
-            connection_factory = irc.connection.Factory(wrapper=ssl.wrap_socket)
+            connection_factory = irc_connection.Factory(wrapper=ssl.wrap_socket)
        else:
-            connection_factory = irc.connection.Factory()
+            connection_factory = irc_connection.Factory()
        try:
-            self.reactor = irc.client.Reactor()
+            self.reactor = irc_client.Reactor()
            self.connection = self.reactor.server().connect(
                self.server,
                self.port,
@ -53,7 +67,7 @@ class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
                password=self.password,
                connect_factory=connection_factory,
            )
-        except irc.client.ServerConnectionError as e:
+        except irc_client.ServerConnectionError as e:
            logger.error(smart_str(_("Exception connecting to irc server: {}").format(e)))
            if not self.fail_silently:
                raise
@ -65,8 +79,9 @@ class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
        self.connection = None

    def on_connect(self, connection, event):
+        irc_client, _ = _irc()
        for c in self.channels:
-            if irc.client.is_channel(c):
+            if irc_client.is_channel(c):
                connection.join(c)
            else:
                for m in self.channels[c]:
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@ -73,7 +73,7 @@ uWSGI>=2.0.28
 uwsgitop
 wheel>=0.38.1  # CVE-2022-40898
 pip==21.2.4  # see UPGRADE BLOCKERs
-setuptools  # see UPGRADE BLOCKERs
+setuptools==78.1.1  # see UPGRADE BLOCKERs
 setuptools_scm[toml]  # see UPGRADE BLOCKERs, xmlsec build dep
 setuptools-rust>=0.11.4  # cryptography build dep
 pkgconfig>=1.5.1  # xmlsec build dep - needed for offline build
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@ -190,7 +190,9 @@ djangorestframework-yaml==2.0.0
 docutils==0.20.1
    # via python-daemon
 dynaconf==3.2.10
-    # via django-ansible-base
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   django-ansible-base
 enum-compat==0.0.3
    # via asn1
 filelock==3.13.1
@ -610,7 +612,7 @@ zope-interface==6.2
 # The following packages are considered to be unsafe in a requirements file:
 pip==21.2.4
    # via -r /awx_devel/requirements/requirements.in
-setuptools==69.0.2
+setuptools==78.1.1
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   asciichartpy