Bump pysaml2 requeriment to avoid CVE-2020-5390

Although, Keystone doesn't use the pysaml2 signature on [0] Would be nice to bump the pysaml2 version for, at least, 5.0.0[1] in order to have the the CVE fix included[2]. [0]https://opendev.org/openstack/keystone/src/branch/master/keystone/federation/idp.py#L440-L521 [1] https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0 [2] https://github.com/advisories/GHSA-qf7v-8hj3-4xw7 Change-Id: I1d3776f7f1feb6485feecb140703f23027ca3a6f
2020-08-19 14:05:31 -03:00 · 2020-08-19 14:05:31 -03:00 · c0d63cecd8
parent 7d6c71ba26
commit c0d63cecd8
2 changed files with 2 additions and 2 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -46,7 +46,7 @@ pycadf==1.1.0
 pycodestyle==2.0.0
 python-ldap===3.0.0
 pymongo===3.0.2
-pysaml2==4.5.0
+pysaml2==5.0.0
 PyJWT==1.6.1
 PyMySQL==0.7.6
 python-keystoneclient==3.8.0
--- a/requirements.txt
+++ b/requirements.txt
@ -28,7 +28,7 @@ oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.upgradecheck>=0.1.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0
 oauthlib>=0.6.2 # BSD
-pysaml2>=4.5.0
+pysaml2>=5.0.0
 PyJWT>=1.6.1 # MIT
 dogpile.cache>=0.6.2 # BSD
 jsonschema>=3.2.0 # MIT