Updated notebook-dependencies

exasol · Jan 15, 2025 · a1aa67a · a1aa67a
1 parent cd7bedb
commit a1aa67a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 7 deletions.
diff --git a/doc/changes/changes_3.2.0.md b/doc/changes/changes_3.2.0.md
@@ -1,9 +1,30 @@
-# AI-Lab 3.2.0 released ????-??-??
+# AI-Lab 3.2.0 released 2025-??-??
 
-Code name:
+Code name: Additional Updates on top of 3.1.0
 
 ## Summary
 
+This release updates dependencies and fixes security vulnerabilities on top of 3.1.0.
+
+Fixed vulnerabilities:
+
+* Vulnerabilities in direct dependency `jinja2` version 3.1.4
+  * [#50](https://github.com/exasol/ai-lab/security/dependabot/#50) Moderate: Jinja has a sandbox breakout through malicious filenames Moderate
+  * [#49](https://github.com/exasol/ai-lab/security/dependabot/#49) Moderate: Jinja has a sandbox breakout through indirect reference to format method Moderate
+* Vulnerabilities in transitive dependency `ansible-core` via `ansible`:
+  * [#44](https://github.com/exasol/ai-lab/security/dependabot/44) Moderate, affects versions < 2.17.6, ansible-core Incorrect Authorization vulnerability Moderate
+  * [#47](https://github.com/exasol/ai-lab/security/dependabot/47) Low, affects versions < 2.17.7: Ansible-Core vulnerable to content protections bypass Low
+* Vulnerabilities in transitive testing dependency `tornado` version 6.4.1 via `pytest-check-links`,  `nbconvert`, `nbclient`, `jupyter-client`:
+  * [#46](https://github.com/exasol/ai-lab/security/dependabot/#46) High: Tornado has an HTTP cookie parsing DoS vulnerability High
+
+Accepted vulnerabilities:
+
+* Vulnerabilities in transitive testing dependency `python-jose` version 3.3.0 via `localstack` as there is no newer version available.
+  * [#31](https://github.com/exasol/ai-lab/security/dependabot/31) Critical: python-jose algorithm confusion with OpenSSH ECDSA keys Critical
+  * [#32](https://github.com/exasol/ai-lab/security/dependabot/#32) Moderate: python-jose denial of service via compressed JWE content Moderate
+* Vulnerabilities in transitive dependency `ansible-core` 2.17.7 version via `ansible` as there is no newer version available.
+  * [#43](https://github.com/exasol/ai-lab/security/dependabot/43) High: Ansible vulnerable to Insertion of Sensitive Information into Log File High
+
 ## Security Issues
 
 * #346: Dependency upgrade

diff --git a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt
@@ -1,8 +1,8 @@
-scikit-learn==1.5.1 # required for notebook sklearn
-matplotlib==3.7.4 # required for notebook sklearn
-jupysql==0.10.16 # required for multiple notebooks
+scikit-learn==1.6.1 # required for notebook sklearn
+matplotlib==3.10.0 # required for notebook sklearn
+jupysql==0.10.17 # required for multiple notebooks
 stopwatch.py>=2.0.1 # also required by ITDE
-exasol-notebook-connector==0.3.0
+exasol-notebook-connector==0.4.0
 pickleshare==0.7.5 # See https://github.com/exasol/ai-lab/issues/291 for details.
 ipyfilechooser==0.6.0 # required for SLC notebooks
-ipywidgets==8.1.1 # enable interactive Javascript widgets in the notebooks
+ipywidgets==8.1.5 # enable interactive Javascript widgets in the notebooks