CVE-2023-23934

Advisory

Octue 0.43.3 updates its dependency 'werkzeug' to v2.2.3 to include security fixes.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Summary
Make a number of improvements and fixes to message handling when using pull subscriptions. Also update the small amount of testing that interacts with GCP to use a dedicated separate GCP project.

<!--- SKIP AUTOGENERATED NOTES --->
Contents ([558](https://github.com/octue/octue-sdk-python/pull/558))

Enhancements
- Increase number of questions that can be asked concurrently in `Child.ask_multiple` to 32
- Make delivery acknowledgement and maximum hearbeat interval kwargs available in `Child.ask`
- Allow parents to start handling child responses from the first non-missed message (`n + 1`) if the first `n` were missed
- Add question UUID to heartbeat log messages
- Improve `PushSubscriptionCannotBePulled` error message

Fixes
- Mark question as delivered on receipt of first response from child in case the delivery acknowledgement message is missed
- Stop loss of delivered question UUIDs if local metadata file does not yet exist
- Avoid message gap greater than the delivery acknowledgement timeout causing failure to receive child messages
- Allow a start time of zero in message handler

Dependencies
- Update to latest versions of `protobuf` and `werkzeug` to avoid security issues

Operations
- Add terraform configuration for new test project

Refactoring
- Simplify nested conditional
- Minimise code within try/except block in `OrderedMessageHandler`
- Move message recording into `OrderedMessageHandler._handle_message`
- Factor out raising message handling error in message handler
- Rename `OrderedMessageHandler.received_messages` to `handled_messages`

Testing
- Use new URI for Strands JSON schemas in tests
- Use dedicated GCP project for testing services
<!--- END AUTOGENERATED NOTES --->

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934