CVE updates for Action Server v2.17.1 (#308)

* CVE updates for Action Server v2.17.1
* Blocking use of TLSv1x (https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TLSv1)

Author: kariharju

.github/workflows/action_server_frontend_tests.yml

@@ -8,6 +8,9 @@ on:
       - "action_server/frontend/**"
       - ".github/workflows/action_server_frontend_tests.yml"
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: "./action_server/frontend"

action_server/docs/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+## 2.17.1 - 2025-12-04
+
+- CVE updates
+
 ## 2.17.0 - 2025-11-13
 
 - Dependency updates

action_server/frontend/package-lock.json

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "sema4ai-action-server"
-version = "2.17.0"
+version = "2.17.1"
 description = """Sema4AI Action Server"""
 authors = [
 	"Sema4.ai, Inc. <dev@sema4.ai>",

action_server/poetry.lock

@@ -1,6 +1,6 @@
 from typing import List
 
-__version__ = "2.17.0"
+__version__ = "2.17.1"
 version_info = [int(x) for x in __version__.split(".")]
 
 __all__: List[str] = []

action_server/pyproject.toml

@@ -106,6 +106,13 @@ def _wrap_socket(
         raise ValueError("certfile must be specified")
     context = SSLContext(ssl.PROTOCOL_TLS_SERVER)
     context.verify_mode = ssl.VerifyMode.CERT_NONE
+    # Ensure only TLSv1.2 and newer are accepted
+    if hasattr(context, "minimum_version"):
+        context.minimum_version = ssl.TLSVersion.TLSv1_2
+    else:
+        # Fallback for older Python: explicitly disable TLSv1 and TLSv1_1
+        context.options |= getattr(ssl, "OP_NO_TLSv1", 0)
+        context.options |= getattr(ssl, "OP_NO_TLSv1_1", 0)
     if certfile:
         context.load_cert_chain(certfile, keyfile)
     return context.wrap_socket(