update stac, weaver, magpie, twitcher, cowbird - security fixes for EOL Python and http-related libraires #622

fmigneault · 2025-12-19T02:42:08Z

Overview

Update multiple components with corresponding updates of urllib, requests, etc.
At the same time, bump to Python 3.13 versions as applicable.

Changes

Non-breaking changes

STAC API: Security update to version 2.2.0
- relates to docker python 3.13.11 crim-ca/stac-app#65
Weaver: Security update to version 6.8.0
- relates to update python 3.13, mongo 7, urllib, requests, werkzeug across docker and project crim-ca/weaver#868
Cowbird: Security update to version 4.3.0
- relates to Update urllib, requests and Python 3.13 Ouranosinc/cowbird#98
Magpie: Security update to version 4.3.0
- relates to add python 3.13 to CI, project and docker base + security fixes Ouranosinc/Magpie#640
Twitcher: Security update to version 0.11.0
- relates to [Snyk] Security upgrade requests from 2.31.0 to 2.32.4 twitcher#143
- relates to update urllib and requests twitcher#145
- relates to add python 3.13 twitcher#146
Weaver: Update post-docker-compose-up script.
- Handle multiple Magpie cookies in response.
  This can happen depending on specific internal HTTP libraries versions of the services.
  To retain backward/forward compatibility, all cookies returned from Magpie are chained in following curl commands.
- Use birdhouse log utility to report operations produced by the script rather than custom "echo level".
Birdhouse: Allow log <LEVEL> -n ... and log <LEVEL> -p ... to generate log outputs without newline/prefixes.

These options allow writing multiple log entries onto the same line for correct visual rendering of distinct log
calls separated to allow some intermediate logic. The log function invocations with these options respect the
log levels in order to make the messages consistent with enabled redirections and verbosity.

Breaking changes

n/a

CI Operations

birdhouse_daccs_configs_branch: master
birdhouse_skip_ci: false

…OL Python and http-related libraires

crim-jenkins-bot · 2025-12-19T03:03:02Z

E2E Test Results

DACCS-iac Pipeline Results

Build URL : http://daccs-jenkins.crim.ca:80/job/DACCS-iac-birdhouse/3908/
Result 🆘 ABORTED

BIRDHOUSE_DEPLOY_BRANCH : security-updates
DACCS_IAC_BRANCH : master
DACCS_CONFIGS_BRANCH : master
PAVICS_E2E_WORKFLOW_TESTS_BRANCH : master
PAVICS_SDI_BRANCH : master

DESTROY_INFRA_ON_EXIT : true
PAVICS_HOST : https://host-140-91.rdext.crim.ca

⚠️ Infrastructure deployment failed. ⚠️
Instance destroyed due to CI execution.
To debug, launch an instance manually with PR reference security-updates.

fmigneault · 2026-01-08T04:57:00Z

run tests

crim-jenkins-bot · 2026-01-08T05:17:47Z

E2E Test Results

DACCS-iac Pipeline Results

Build URL : http://daccs-jenkins.crim.ca:80/job/DACCS-iac-birdhouse/3940/
Result 🆘 ABORTED

BIRDHOUSE_DEPLOY_BRANCH : security-updates
DACCS_IAC_BRANCH : master
DACCS_CONFIGS_BRANCH : master
PAVICS_E2E_WORKFLOW_TESTS_BRANCH : master
PAVICS_SDI_BRANCH : master

DESTROY_INFRA_ON_EXIT : true
PAVICS_HOST : https://host-140-216.rdext.crim.ca

⚠️ Infrastructure deployment failed. ⚠️
Instance destroyed due to CI execution.
To debug, launch an instance manually with PR reference security-updates.

mishaschwartz

There's a change in the way that magpie creates cookies now that means that weaver cannot connect to magpie in the weaver/post-docker-compose script:

On line 150 of that script you currently have:

cookie_jar=$(echo "${cookie_jar}" | grep -v '# ' | grep -v -e '^$' | grep -v '_\.')

where that last grep filters out lines with _. in them. This was supposed to deal with the fact that magpie was supplying two identical cookies for the domains:

#HttpOnly_.${BIRDHOUSE_FQDN_PUBLIC}
#HttpOnly_${BIRDHOUSE_FQDN_PUBLIC}

Now it seems that magpie is only sending a cookie for the domain with the . (#HttpOnly_.${BIRDHOUSE_FQDN_PUBLIC}) which means that line 150 of weaver/post-docker-compose filters out the only provided cookie and then reports that it cannot connect to Magpie.

I'm not sure what the best solution is but we should either update weaver/post-docker-compose or we should investigate why magpie cookies have changed (was that intentional?)

birdhouse/components/stac/default.env

fmigneault · 2026-01-08T23:20:14Z

@mishaschwartz
Regarding the Cookie issue mentioned in #622 (review)

I think this is caused by internal library changes (pyramid / urllib3) that behave slightly differently, notably when localhost in involved.
I have encountered similar problems when dealing with Cowbird tests:

I guess the fix would be to consider the opposite .-prefixed domain.
Are you seeing this problem with localhost as dev server or using other IPs as well?

fmigneault · 2026-01-08T23:22:20Z

@mishaschwartz @tlvu
I'll do a second pass of updates...
Just as I was finished working on these, yet another urllib3 vulnerability has been identified.

mishaschwartz · 2026-01-09T14:14:04Z

I guess the fix would be to consider the opposite .-prefixed domain.

That would work. If you want to make it a bit more future-proof though you could just include all cookies from the jar. You'd just have to delimit the cookies with a ; so it would look like curl -b "name1=cookievalue1; name2=cookievalue2" and that way we don't have to pick and choose a specific cookie in case there are multiple.

Are you seeing this problem with localhost as dev server or using other IPs as well?

All IPs it looks like, not just on a dev server.

…ookies

…updates

crim-jenkins-bot · 2026-01-10T00:12:51Z

E2E Test Results

DACCS-iac Pipeline Results

Build URL : http://daccs-jenkins.crim.ca:80/job/DACCS-iac-birdhouse/3943/
Result 🆘 ABORTED

BIRDHOUSE_DEPLOY_BRANCH : security-updates
DACCS_IAC_BRANCH : master
DACCS_CONFIGS_BRANCH : master
PAVICS_E2E_WORKFLOW_TESTS_BRANCH : master
PAVICS_SDI_BRANCH : master

DESTROY_INFRA_ON_EXIT : true
PAVICS_HOST : https://host-140-216.rdext.crim.ca

⚠️ Infrastructure deployment failed. ⚠️
Instance destroyed due to CI execution.
To debug, launch an instance manually with PR reference security-updates.

crim-jenkins-bot · 2026-01-10T05:10:40Z

E2E Test Results

DACCS-iac Pipeline Results

Build URL : http://daccs-jenkins.crim.ca:80/job/DACCS-iac-birdhouse/3945/
Result 🆘 ABORTED

BIRDHOUSE_DEPLOY_BRANCH : security-updates
DACCS_IAC_BRANCH : master
DACCS_CONFIGS_BRANCH : master
PAVICS_E2E_WORKFLOW_TESTS_BRANCH : master
PAVICS_SDI_BRANCH : master

DESTROY_INFRA_ON_EXIT : true
PAVICS_HOST : https://host-140-216.rdext.crim.ca

⚠️ Infrastructure deployment failed. ⚠️
Instance destroyed due to CI execution.
To debug, launch an instance manually with PR reference security-updates.

birdhouse/components/stac/default.env

birdhouse/components/magpie/default.env

mishaschwartz

All of the actual component updates are working well! Thanks

The only issues are with the log changes to the weaver post-compose-up script and logging scripts. None of these are deal-breakers but they should be fixed so we can ensure that the logs are written nicely for this script and that the logging documentation is maintained.