github/OpenHands
1
0
Fork 0
mirror of https://github.com/OpenHands/OpenHands.git synced 2026-03-22 13:47:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix CVE-2026-27962: Update authlib to 1.6.9 (#13439)

Browse Source 
Co-authored-by: OpenHands CVE Fix Bot <openhands@all-hands.dev>
Co-authored-by: OpenHands Bot <contact@all-hands.dev>
This commit is contained in:
aivong-openhands
2026-03-17 10:13:08 -05:00
committed by GitHub
parent bd837039dd
commit d58e12ad74
4 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
enterprise/poetry.lock generated
View File

@@ -602,14 +602,14 @@ files = [
[[package]]
name = "authlib"
version = "1.6.7"
version = "1.6.9"
description = "The ultimate Python library in building OAuth and OpenID Connect servers and clients."
optional = false
python-versions = ">=3.9"
groups = ["main"]
files = [
{file = "authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0"},
{file = "authlib-1.6.7.tar.gz", hash = "sha256:dbf10100011d1e1b34048c9d120e83f13b35d69a826ae762b93d2fb5aafc337b"},
{file = "authlib-1.6.9-py2.py3-none-any.whl", hash = "sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3"},
{file = "authlib-1.6.9.tar.gz", hash = "sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04"},
]
[package.dependencies]

8
poetry.lock generated
View File

@@ -606,14 +606,14 @@ files = [
[[package]]
name = "authlib"
version = "1.6.7"
version = "1.6.9"
description = "The ultimate Python library in building OAuth and OpenID Connect servers and clients."
optional = false
python-versions = ">=3.9"
groups = ["main"]
files = [
{file = "authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0"},
{file = "authlib-1.6.7.tar.gz", hash = "sha256:dbf10100011d1e1b34048c9d120e83f13b35d69a826ae762b93d2fb5aafc337b"},
{file = "authlib-1.6.9-py2.py3-none-any.whl", hash = "sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3"},
{file = "authlib-1.6.9.tar.gz", hash = "sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04"},
]
[package.dependencies]
@@ -14833,4 +14833,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api
[metadata]
lock-version = "2.1"
python-versions = "^3.12,<3.14"
content-hash = "b8a9c6245f0c3cabfeaffe6eb7c1fae76391a15533c18bce1fe168e070a66d63"
content-hash = "1a8151b36fb64667d1a2e83f38060841de15bd0284f18e8f58c6ee95095e933e"

4
pyproject.toml
View File

@@ -25,7 +25,7 @@ dependencies = [
"anthropic[vertex]",
"anyio==4.9",
"asyncpg>=0.30",
"authlib>=1.6.7",
"authlib>=1.6.9",
"bashlex>=0.18",
"boto3",
"browsergym-core==0.13.3",
@@ -163,7 +163,7 @@ include = [
[tool.poetry.dependencies]
python = "^3.12,<3.14"
authlib = ">=1.6.7" # Pinned to fix CVE-2026-28802
authlib = ">=1.6.9" # CVE-2026-27962 (fixed in 1.6.9)
orjson = ">=3.11.6" # Pinned to fix CVE-2025-67221
litellm = ">=1.74.3, !=1.64.4, !=1.67.*" # avoid 1.64.4 (known bug) & 1.67.* (known bug #10272)
openai = "2.8.0" # Pin due to litellm incompatibility with >=1.100.0 (BerriAI/litellm#13711)

10
uv.lock generated
View File

@@ -360,14 +360,14 @@ wheels = [
[[package]]
name = "authlib"
version = "1.6.7"
version = "1.6.9"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "cryptography" },
]
sdist = { url = "https://files.pythonhosted.org/packages/49/dc/ed1681bf1339dd6ea1ce56136bad4baabc6f7ad466e375810702b0237047/authlib-1.6.7.tar.gz", hash = "sha256:dbf10100011d1e1b34048c9d120e83f13b35d69a826ae762b93d2fb5aafc337b", size = 164950, upload-time = "2026-02-06T14:04:14.171Z" }
sdist = { url = "https://files.pythonhosted.org/packages/af/98/00d3dd826d46959ad8e32af2dbb2398868fd9fd0683c26e56d0789bd0e68/authlib-1.6.9.tar.gz", hash = "sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04", size = 165134, upload-time = "2026-03-02T07:44:01.998Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/f8/00/3ed12264094ec91f534fae429945efbaa9f8c666f3aa7061cc3b2a26a0cd/authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0", size = 244115, upload-time = "2026-02-06T14:04:12.141Z" },
{ url = "https://files.pythonhosted.org/packages/53/23/b65f568ed0c22f1efacb744d2db1a33c8068f384b8c9b482b52ebdbc3ef6/authlib-1.6.9-py2.py3-none-any.whl", hash = "sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3", size = 244197, upload-time = "2026-03-02T07:44:00.307Z" },
]
[[package]]
@@ -3792,7 +3792,7 @@ requires-dist = [
{ name = "anthropic", extras = ["vertex"] },
{ name = "anyio", specifier = "==4.9" },
{ name = "asyncpg", specifier = ">=0.30" },
{ name = "authlib", specifier = ">=1.6.7" },
{ name = "authlib", specifier = ">=1.6.9" },
{ name = "bashlex", specifier = ">=0.18" },
{ name = "boto3" },
{ name = "browsergym-core", specifier = "==0.13.3" },
@@ -3844,7 +3844,7 @@ requires-dist = [
{ name = "psutil" },
{ name = "pybase62", specifier = ">=1" },
{ name = "pygithub", specifier = ">=2.5" },
{ name = "pyjwt", specifier = ">=2.12.0" },
{ name = "pyjwt", specifier = ">=2.12" },
{ name = "pylatexenc" },
{ name = "pypdf", specifier = ">=6.7.2" },
{ name = "python-docx" },