Merge pull request #529 from baobabsoluciones/hotfix/security

Changes needed due to security reasons.

.github/workflows/cornflow-client-publish-to-pypi.yml

@@ -38,7 +38,7 @@ jobs:
         password: ${{ secrets.pypi_password }}
         packages_dir: libs/client/dist/
     - name: Get version number
-      uses: jungwinter/split@v2
+      uses: winterjung/split@v2
       id: split
       with:
         msg : ${{ github.ref_name}}

.github/workflows/cornflow-publish-to-pypi.yml

@@ -38,7 +38,7 @@ jobs:
         password: ${{ secrets.CORNFLOW_PYPI_TOKEN }}
         packages_dir: cornflow-server/dist/
     - name: Get version number
-      uses: jungwinter/split@v2
+      uses: winterjung/split@v2
       id: split
       with:
         msg : ${{ github.ref_name }}

cornflow-server/Dockerfile

@@ -1,4 +1,4 @@
-# VERSION 1.0.10
+# VERSION 1.0.11
 # AUTHOR: [email protected]
 
 FROM python:3.10-slim-buster
@@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM linux
 
 # CORNFLOW vars
-ARG CORNFLOW_VERSION=1.0.10
+ARG CORNFLOW_VERSION=1.0.11
 
 # install linux pkg
 RUN apt update -y && apt-get install -y --no-install-recommends \

cornflow-server/airflow_config/Dockerfile

@@ -1,7 +1,7 @@
 # AIRFLOW VERSION 2.9.0
 # AUTHOR: [email protected]
 # DESCRIPTION: Airflow 2.9.0 image personalized for use with Cornflow (from baobabsoluciones/pysolver image)
-# baobab code version is 1.0.10
+# baobab code version is 1.0.11
 
 FROM baobabsoluciones/pysolver:1.0
 LABEL maintainer="cornflow@baobabsoluciones"
@@ -11,7 +11,7 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM linux
 
 # Airflow vars
-ARG AIRFLOW_VERSION=2.9.0
+ARG AIRFLOW_VERSION=2.9.1
 ARG AIRFLOW_USER_HOME=/usr/local/airflow
 ARG CONSTRAINT_URL="https://raw.githubusercontent.com/apache/airflow/constraints-${AIRFLOW_VERSION}/constraints-3.10.txt"
 ARG AIRFLOW__CORE__LOAD_EXAMPLES=False

cornflow-server/changelog.rst

@@ -1,3 +1,14 @@
+version 1.0.11
+---------------
+
+- released: 2024-05-10
+- description: release to fix security vulnerabilities
+- changelog:
+    - Upgraded flask-cors version to 4.0.1
+    - Upgraded Werkzeug version to 3.0.3
+    - Upgraded Airflow to version 2.9.1
+    - Fixed Werkzeug version on airflow image to 3.0.3
+
 version 1.0.10
 ---------------
 

cornflow-server/requirements.txt

@@ -8,7 +8,7 @@ Flask==2.3.2
 flask-apispec<=0.11.4
 Flask-Bcrypt<=1.0.1
 Flask-Compress<=1.13
-flask-cors<=3.0.10
+flask-cors<=4.0.1
 flask-inflate<=0.3
 Flask-Migrate<=4.0.4
 Flask-RESTful<=0.3.9
@@ -27,4 +27,4 @@ pytups>=0.86.2
 requests<=2.31.0
 SQLAlchemy==1.3.21
 webargs<=8.2.0
-Werkzeug<=2.3.8
+Werkzeug<=3.0.3

cornflow-server/setup.py

@@ -9,7 +9,7 @@
 
 setuptools.setup(
     name="cornflow",
-    version="1.0.10",
+    version="1.0.11",
     author="baobab soluciones",
     author_email="[email protected]",
     description="Cornflow is an open source multi-solver optimization server with a REST API built using flask.",

docker-compose-cornflow-celery.yml

@@ -30,7 +30,7 @@ x-airflow-common:
   &airflow-common
   # In order to add custom dependencies or upgrade provider packages you can use your extended image.
   # Comment the image line and uncomment the "build" and "context" lines below, Then run `docker-compose build` to build the images.
-    image: baobabsoluciones/airflow:release-v1.0.8
+    image: baobabsoluciones/airflow:release-v1.0.11
     platform: linux/amd64
     #build: 
     #context: ./cornflow-server/airflow_config
@@ -64,7 +64,7 @@ x-cornflow-common:
   &cornflow-common
   # In order to add custom dependencies or upgrade provider packages you can use your extended image.
   # Comment the image line and uncomment the "build" and "context" lines below, Then run `docker-compose build` to build the images.
-    image: baobabsoluciones/cornflow:release-v1.0.8
+    image: baobabsoluciones/cornflow:release-v1.0.11
     platform: linux/amd64
     #build: 
     #context: ./cornflow-server

docker-compose-cornflow-ldap.yml

@@ -31,7 +31,7 @@ x-airflow-common:
   &airflow-common
   # In order to add custom dependencies or upgrade provider packages you can use your extended image.
   # Comment the image line and uncomment the "build" and "context" lines below, Then run `docker-compose build` to build the images.
-    image: baobabsoluciones/airflow:release-v1.0.8
+    image: baobabsoluciones/airflow:release-v1.0.11
     platform: linux/amd64
     #build: 
     #context: ./cornflow-server/airflow_config

docker-compose.yml

@@ -30,7 +30,7 @@ x-airflow-common:
   &airflow-common
   # In order to add custom dependencies or upgrade provider packages you can use your extended image.
   # Comment the image line and uncomment the "build" and "context" lines below, Then run `docker-compose build` to build the images.
-    image: baobabsoluciones/airflow:release-v1.0.8
+    image: baobabsoluciones/airflow:release-v1.0.11
     platform: linux/amd64
     #build: 
     #context: ./cornflow-server/airflow_config
@@ -60,7 +60,7 @@ x-cornflow-common:
   &cornflow-common
   # In order to add custom dependencies or upgrade provider packages you can use your extended image.
   # Comment the image line and uncomment the "build" and "context" lines below, Then run `docker-compose build` to build the images.
-    image: baobabsoluciones/cornflow:release-v1.0.8
+    image: baobabsoluciones/cornflow:release-v1.0.11
     platform: linux/amd64
     #build: 
     #context: ./cornflow-server

docs/source/conf.py

@@ -66,10 +66,10 @@
 import cornflow_client
 
 
-release = "1.0.10"
+release = "1.0.11"
 # The short X.Y version.
 # version = release[:3]
-version = "1.0.10"
+version = "1.0.11"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.