[AAP-47384] CVE 2025 47273 (#7054)

* Update requirements for setuptools * first pass and need to commit * update makefile and run updater script * updated makefile per readme * ran updater script * Patch irc backend to avoid namespace collision w/ jaraco When importing the IRC backend, jaraco resolves to the version vendored inside setuptools: 1) importing irc backend… irc_backend ERROR: ModuleNotFoundError("No module named 'jaraco.stream'") 2) sys.modules['jaraco'] after failure: present: True type: <class 'module'> __file__: /var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py __path__: ['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco'] __spec__: ModuleSpec(name='jaraco', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7f006a0eccd0>, origin='/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py', submodule_search_locations=['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco']) Since setuptools does not vendor jaraco.stream, it blew up. This patch ensures jaraco.stream gets imported *before* attempting to import the irc modules. * Revert "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027) This reverts commit e8b2920aec. * reformatted irc backend with black * ran black to fix linting issues * Reapply "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027) This reverts commit 0c6df9b13398a93569fae7558e1a0e72cbe8fb6c. * add flake8 ignore since jaraco.stream is needed * jaraco.stream is not directly called in the file but is needed by irc so ignore the linter failure --------- Co-authored-by: Shane McDonald <me@shanemcd.com>
2026-03-10 22:19:28 -02:30 · 2025-08-19 11:59:24 -04:00
parent e8c4b302ad
commit 8fe4223eac
4 changed files with 28 additions and 11 deletions
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -73,7 +73,7 @@ uWSGI>=2.0.28
 uwsgitop
 wheel>=0.38.1  # CVE-2022-40898
 pip==21.2.4  # see UPGRADE BLOCKERs
-setuptools  # see UPGRADE BLOCKERs
+setuptools==78.1.1  # see UPGRADE BLOCKERs
 setuptools_scm[toml]  # see UPGRADE BLOCKERs, xmlsec build dep
 setuptools-rust>=0.11.4  # cryptography build dep
 pkgconfig>=1.5.1  # xmlsec build dep - needed for offline build
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -190,7 +190,9 @@ djangorestframework-yaml==2.0.0
 docutils==0.20.1
    # via python-daemon
 dynaconf==3.2.10
-    # via django-ansible-base
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   django-ansible-base
 enum-compat==0.0.3
    # via asn1
 filelock==3.13.1
@@ -610,7 +612,7 @@ zope-interface==6.2
 # The following packages are considered to be unsafe in a requirements file:
 pip==21.2.4
    # via -r /awx_devel/requirements/requirements.in
-setuptools==69.0.2
+setuptools==78.1.1
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   asciichartpy