BB2-675-Bump-urllib3-to-1.26.5

[JFU-GIT]

JIRA Ticket:
BB2-675

User Story or Bug Summary:

Moderate vulnerability detected:

GHSA-q2q7-5pp4-w6pg
moderate severity
Vulnerable versions: < 1.26.5
Patched version: 1.26.5
Impact
When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Patches
The issue has been fixed in urllib3 v1.26.5.

References
CVE-2021-33503
urllib3 v1.26.5

A/C:

urllib3 updated to 1.26.5 or above

What Does This PR Do?

Upgrade urllib3 to 1.26.5
update requirements.txt etc.
update vendor'd entries

What Should Reviewers Watch For?

If you're reviewing this PR, please check these things, in particular:

• TODO

What Security Implications Does This PR Have?

Submitters should complete the following questionnaire:

• If the answer to any of the questions below is Yes, then here's a link to the associated Security Impact Assessment (SIA), security checklist, or other similar document in Confluence: N/A.
  • Does this PR add any new software dependencies? No.
  • Does this PR modify or invalidate any of our security controls? No.
  • Does this PR store or transmit data that was not stored or transmitted before? No.
• If the answer to any of the questions below is Yes, then please add @StewGoin as a reviewer, and note that this PR should not be merged unless/until he also approves it.
  • Do you think this PR requires additional review of its security implications for other reasons? No.

What Needs to Be Merged and Deployed Before this PR?

None

This PR cannot be either merged or deployed until the following pre-requisite changes have been fully deployed:

• CMSgov/some_repo#42

Submitter Checklist

I have gone through and verified that...:

• This PR is reasonably limited in scope, to help ensure that:
  1. It doesn't unnecessarily tie a bunch of disparate features, fixes, refactorings, etc. together.
  2. There isn't too much of a burden on reviewers.
  3. Any problems it causes have a small "blast radius".
  4. It'll be easier to rollback if that becomes necessary.
• I have named this PR and its branch such that they'll be automatically be linked to the (most) relevant Jira issue, per: https://confluence.atlassian.com/adminjiracloud/integrating-with-development-tools-776636216.html.
• This PR includes any required documentation changes, including README updates and changelog / release notes entries.
• All new and modified code is appropriately commented, such that the what and why of its design would be reasonably clear to engineers, preferably ones unfamiliar with the project.
• All tech debt and/or shortcomings introduced by this PR are detailed in TODO and/or FIXME comments, which include a JIRA ticket ID for any items that require urgent attention.
• Reviews are requested from both:
  • At least two other engineers on this project, at least one of whom is a senior engineer or owns the relevant component(s) here.
  • Any relevant engineers on other projects (e.g. BFD, SLS, etc.).
• Any deviations from the other policies in the DASG Engineering Standards are specifically called out in this PR, above.
  • Please review the standards every few months to ensure you're familiar with them.

[njdister]

@JFU-GIT Why are there boto and S3 updates in here? Is this a required dependency of the urllib3 update?

[JFU-GIT]

@JFU-GIT Why are there boto and S3 updates in here? Is this a required dependency of the urllib3 update?

both boto and requests depend on urllib3, and if keep boto and requests versions unchanged, install can not find a urllib3 that satisfy boto and requests and with version above the required range 1.26.5:

Could not find a version that matches urllib3<1.26,<1.27,==1.26.5,>=1.20,>=1.21.1 (from -r requireme
nts/requirements.in (line 19))
Tried: 0.3, 1.0, 1.0.1, 1.0.2, 1.1, 1.2, 1.2.1, 1.2.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.7.1, 1.8, 1.8.2, 1
.8.3, 1.9, 1.9.1, 1.10, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11, 1.11, 1.12, 1.12, 1.13, 1.13, 1.13.1,
1.13.1, 1.14, 1.14, 1.15, 1.15, 1.15.1, 1.15.1, 1.16, 1.16, 1.17, 1.17, 1.18, 1.18, 1.18.1, 1.18.1,
1.19, 1.19, 1.19.1, 1.19.1, 1.20, 1.20, 1.21, 1.21, 1.21.1, 1.21.1, 1.22, 1.22, 1.23, 1.23, 1.24, 1.
24, 1.24.1, 1.24.1, 1.24.2, 1.24.2, 1.24.3, 1.24.3, 1.25, 1.25, 1.25.1, 1.25.1, 1.25.2, 1.25.2, 1.25
.3, 1.25.3, 1.25.4, 1.25.4, 1.25.5, 1.25.5, 1.25.6, 1.25.6, 1.25.7, 1.25.7, 1.25.8, 1.25.8, 1.25.9,
1.25.9, 1.25.10, 1.25.10, 1.25.11, 1.25.11, 1.26.0, 1.26.0, 1.26.1, 1.26.1, 1.26.2, 1.26.2, 1.26.3,
1.26.3, 1.26.4, 1.26.4, 1.26.5, 1.26.5
There are incompatible versions in the resolved dependencies:
urllib3==1.26.5 (from -r requirements/requirements.in (line 19))
urllib3<1.27,>=1.21.1 (from requests==2.25.1->-r requirements/requirements.in (line 18))
urllib3<1.26,>=1.20 (from botocore==1.12.253->boto3==1.9.86->-r requirements/requirements.in (line
29))

[njdister]

@JFU-GIT Ok, we will need to test S3 (logo uploads) and SES (account emails) integration in the test environment before merging.

[nbragdon]

Once this passes the testing that @njdister mentioned in the Test env, it looks good to me

[oragame]

Looks good!