Add a Changelog for #6063

arm4b · arm4b · commit 8d4d16af39c8 · 2023-11-13T11:10:47.000Z
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -30,6 +30,8 @@ Fixed
 * Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061
   Contributed by @jk464
 
+* Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063
+
 Added
 ~~~~~
 
diff --git a/fixed-requirements.txt b/fixed-requirements.txt
@@ -12,6 +12,8 @@ cryptography==39.0.1
 # depend on rely
 eventlet==0.33.3
 flex==6.14.1
+# Note: installs gitpython==3.1.37 (security fixed) under py3.8 and gitpython==3.1.18 (latest available, vulnerable) under py3.6
+# TODO: Pin to 3.1.37 or higher after dropping python3.6 support
 gitpython<=3.1.37
 # Needed by gitpython, old versions used to bundle it
 gitdb==4.0.2
