Bump the pip group across 1 directory with 7 updates

[dependabot]

Updates the requirements on django, pillow, httplib2, django-cms, gunicorn, gevent and pycrypto to permit the latest version.
Updates django to 5.0.4

Commits

• 476d7c5 [5.0.x] Bumped version for 5.0.4 release.
• e4a0644 [5.0.x] Added release date for 5.0.4.
• fead2dd [5.0.x] Fixed #35336 -- Addressed crash when adding a GeneratedField with % l...
• 14ab15d [5.0.x] Fixed #35344, Refs #34838 -- Corrected output_field of resolved colum...
• 7b144e7 [5.0.x] Restored django.db.models.F import in final code snippet added at the...
• 3264e88 [5.0.x] Fixed typo in docs/topics/signals.txt.
• 345e3cf [5.0.x] Fixed #35329 -- Fixed migrations crash when adding partial unique con...
• 71368b6 [5.0.x] Added RowNumber() link in Rank() docs.
• 8fd953f [5.0.x] Fixed #35273 -- Fixed rendering AdminFileWidget's attributes.
• 710ca57 [5.0.x] Fixed #25595 -- Doc'd that URLValidator rejects file:// URIs without ...
• Additional commits viewable in compare view

Updates pillow from 2.1.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates httplib2 from 0.7.6 to 0.19.0

Changelog

Sourced from httplib2's changelog.

0.19.0

auth: parse headers using pyparsing instead of regexp httplib2/httplib2#182

auth: WSSE token needs to be string not bytes httplib2/httplib2#179

0.18.1

explicit build-backend workaround for pip build isolation bug "AttributeError: 'module' object has no attribute 'legacy'" on pip install httplib2/httplib2#169

0.18.0

IMPORTANT security vulnerability CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. Special thanks to Recar https://github.com/Ciyfly for discrete notification. https://cwe.mitre.org/data/definitions/93.html

0.17.4

Ship test suite in source dist httplib2/httplib2#168

0.17.3

IronPython2.7: relative import iri2uri fixes ImportError httplib2/httplib2#163

0.17.2

python3 + debug + IPv6 disabled: https raised "IndexError: Replacement index 1 out of range for positional args tuple" httplib2/httplib2#161

0.17.1

python3: no_proxy was not checked with https httplib2/httplib2#160

0.17.0

feature: Http().redirect_codes set, works after follow(_all)_redirects check This allows one line workaround for old gcloud library that uses 308 response without redirect semantics. httplib2/httplib2#156

0.16.0

... (truncated)

Commits

• See full diff in compare view

Updates django-cms from 2.3.6 to 3.0.14

Changelog

Sourced from django-cms's changelog.

3.0.14 (2015-06-27)

• Fixed an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability
• Fixed an issue related to "Empty all" Placeholder feature
• Fix issue with causes menu classes to be duplicated in advanced settings
• Fix issue with breadcrumbs not showing
• Fix issues with show_menu templatetags
• Fix plugin sorting in py3
• Fix search results number and items alignment in page changelist
• Fix X-Frame-Options on top-level pages
• Preserve information regarding the current view when applying the CMS decorator
• Fix render_model template tag doesn't show correct change list
• Fix language fallback for nested plugins
• Fix order of which application urls are injected into urlpatterns
• Fix delete non existing page language
• Fix Scanning for placeholders fails on include tags with a variable as an argument
• Minor documentation fixes
• Pin South version to 1.0.2
• Pin Html5lib version to 0.999 until a current bug is fixed
• Fix language chooser template

3.0.13 (2015-04-15)

• Numerous documentation including installation and tutorial updates
• Numerous improvements to translations
• Improves reliability of apphooks
• Improves reliabiliy of Advanced Settings on page when using apphooks
• Allow page deletion after template removal
• Improves upstream caching accuracy
• Improves CMSAttachMenu registration
• Improves handling of mistyped URLs
• Improves redirection as a result of changes to page slugs, etc.
• Improves performance of "watched models"
• Improves frontend performance relating to resizing the sideframe
• Corrects an issue where items might not be visible in structure mode menus
• Limits version of django-mptt used in CMS for 3.0.x
• Prevent accidental upgrades to Django 1.8, which is not yet supported

3.0.12 (2015-03-06)

• Fixed a typo in JavaScript which prevents page tree from working

3.0.11 (2015-03-05)

... (truncated)

Commits

• d197f6c Bump version
• 9055628 Update authors file
• ca13841 Update translations
• 02cb86b Update changelogs
• ee8c8f0 Merge pull request #4187 from yakky/changelog_3014
• f77cbc6 Merge pull request #4218 from divio/issues/merge_csrf_fix
• a6e9157 Merge branch 'require_post' of https://github.com/yakky/django-cms into issue...
• d1f7a7b Merge pull request #4217 from yakky/feature/fix_language_chooser
• 88ede37 Update changelog
• a6662dd Update language chooser default template
• Additional commits viewable in compare view

Updates gunicorn from 18.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates gevent from 1.0 to 23.9.0

Release notes

Sourced from gevent's releases.

1.2.2

No release notes provided.

1.1.2

• Python 2: sendall on a non-blocking socket could spuriously fail with a timeout.
• If sys.stderr has been monkey-patched (not recommended), exceptions that the hub reports aren't lost and can still be caught. Reported in :issue:825 by Jelle Smet.
• :class:selectors.SelectSelector is properly monkey-patched regardless of the order of imports. Reported in :issue:835 by Przemysław Węgrzyn.
• Python 2: reload(site) no longer fails with a TypeError if gevent has been imported. Reported in :issue:805 by Jake Hilton.

1.1.1 (Apr 4, 2016)

• Nested callbacks that set and clear an Event no longer cause wait to return prematurely. Reported in :issue:771 by Sergey Vasilyev.
• Fix build on Solaris 10. Reported in :issue:777 by wiggin15.
• The ref parameter to :func:gevent.os.fork_and_watch was being ignored.
• Python 3: :class:gevent.queue.Channel is now correctly iterable, instead of raising a :exc:TypeError.
• Python 3: Add support for :meth:socket.socket.sendmsg, :meth:socket.socket.recvmsg and :meth:socket.socket.recvmsg_into on platforms where they are defined. Initial :pr:773 by Jakub Klama.

1.1.0

• Python 3: A monkey-patched :class:threading.RLock now properly blocks (or deadlocks) in acquire if the default value for timeout of -1 is used (which differs from gevent's default of None). The acquire method also raises the same :exc:ValueError exceptions that the standard library does for invalid parameters. Reported in #750 by Joy Zheng.
• Fix a race condition in :class:~gevent.event.Event that made it return False when the event was set and cleared by the same greenlet before allowing a switch to already waiting greenlets. (Found by the 3.4 and 3.5 standard library test suites; the same as Python bug 13502_. Note that the Python 2 standard library still has this race condition.)
• :class:~gevent.event.Event and :class:~.AsyncResult now wake waiting greenlets in the same (unspecified) order. Previously, AsyncResult tended to use a FIFO order, but this was never guaranteed. Both classes also use less per-instance memory.
• Using a :class:~logging.Logger as a :mod:pywsgi error or request log stream no longer produces extra newlines. Reported in #756 by ael-code.
• Windows: Installing from an sdist (.tar.gz) on PyPI no longer requires having Cython installed first. (Note that the binary installation

... (truncated)

Changelog

Sourced from gevent's changelog.

=================

Commits

• 693181e Preparing release 23.9.0
• 6fc7898 Set the cython version; go back to default wheel tags.
• 666e374 Had the constraint wrong.
• 74ef876 Tweaking the build, and it seems like the greenlet stack issue should be fixed.
• b652e2a Error handling adjustments from running under a debug build.
• 70e7318 Tweaking tests and comments; temporary workarounds for 3.12 to enable builds.
• 495e37a Workaround the 3.12 traceback issue again.
• 2f53c85 gevent.pywsgi: Much improved handling of chunk trailers.
• bb06d2d Test builds with greenlet assertions enabled.
• 6b22af0 pyproject.toml: Bump to latest cython.
• Additional commits viewable in compare view

Updates pycrypto from 2.6 to 2.6.1

Changelog

Sourced from pycrypto's changelog.

2.6.1

• [CVE-2013-1445] Fix PRNG not correctly reseeded in some situations.

  In previous versions of PyCrypto, the Crypto.Random PRNG exhibits a race condition that may cause forked processes to generate identical sequences of 'random' numbers.

  This is a fairly obscure bug that will (hopefully) not affect many applications, but the failure scenario is pretty bad. Here is some sample code that illustrates the problem:

  from binascii import hexlify
  import multiprocessing, pprint, time
  import Crypto.Random
  def task_main(arg):
  a = Crypto.Random.get_random_bytes(8)
  time.sleep(0.1)
  b = Crypto.Random.get_random_bytes(8)
  rdy, ack = arg
  rdy.set()
  ack.wait()
  return "%s,%s" % (hexlify(a).decode(),
  hexlify(b).decode())
  n_procs = 4
  manager = multiprocessing.Manager()
  rdys = [manager.Event() for i in range(n_procs)]
  acks = [manager.Event() for i in range(n_procs)]
  Crypto.Random.get_random_bytes(1)
  pool = multiprocessing.Pool(processes=n_procs,
  initializer=Crypto.Random.atfork)
  res_async = pool.map_async(task_main, zip(rdys, acks))
  pool.close()
  [rdy.wait() for rdy in rdys]
  [ack.set() for ack in acks]
  res = res_async.get()
  pprint.pprint(sorted(res))
  pool.join()
  

  The output should be random, but it looked like this:

  ['c607803ae01aa8c0,2e4de6457a304b34',
   'c607803ae01aa8c0,af80d08942b4c987',
   'c607803ae01aa8c0,b0e4c0853de927c4',
   'c607803ae01aa8c0,f0362585b3fceba4']
  

  This release fixes the problem by resetting the rate-limiter when Crypto.Random.atfork() is invoked. It also adds some tests and a

... (truncated)

Commits

• 7fd528d Release v2.6.1
• b37ffc0 Update the ChangeLog
• fa06af7 Fortuna: Add comments for reseed_interval and min_pool_size to FortunaAccumul...
• 19dcf7b Random: Make Crypto.Random.atfork() set last_reseed=None (CVE-2013-1445)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.