fix(horizon): fix cves in image
diff --git a/images/base/Earthfile b/images/base/Earthfile
index 89449e0..8d3c3b4 100644
--- a/images/base/Earthfile
+++ b/images/base/Earthfile
@@ -1,5 +1,9 @@
 VERSION 0.7
 
 image:
-  FROM ubuntu:jammy
+  FROM ubuntu:jammy-20240111
   LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere
+  # TODO(mnaser): Remove this when a new image that includes 1.4.0-11ubuntu2.4 is released.
+  #               https://avd.aquasec.com/nvd/cve-2024-22365
+  DO ../+APT_INSTALL \
+    --PACKAGES "libpam0g libpam-modules libpam-modules-bin libpam-runtime"
diff --git a/images/openstack-service/Earthfile b/images/openstack-service/Earthfile
index dce33cb..11fb292 100644
--- a/images/openstack-service/Earthfile
+++ b/images/openstack-service/Earthfile
@@ -43,6 +43,11 @@
   END
   GIT CLONE --branch ${BRANCH} https://github.com/openstack/requirements /src
   RUN \
+    sed -i 's/cryptography===40.0.2/cryptography===41.0.7/' /src/upper-constraints.txt && \
+    sed -i 's/Django===3.2.18/Django===3.2.23/' /src/upper-constraints.txt && \
+    sed -i 's/pyOpenSSL===23.1.1/pyOpenSSL===23.3.0/' /src/upper-constraints.txt && \
+    sed -i 's/requests===2.28.2/requests===2.31.0/' /src/upper-constraints.txt && \
+    sed -i 's/urllib3===1.26.15/urllib3===1.26.18/' /src/upper-constraints.txt && \
     sed -i '/glance-store/d' /src/upper-constraints.txt && \
     sed -i '/horizon/d' /src/upper-constraints.txt
   SAVE ARTIFACT /src/upper-constraints.txt
@@ -65,7 +70,7 @@
     python3-pip \
     python3-venv"
   RUN --mount type=cache,target=/root/.cache \
-    python3 -m venv --upgrade --system-site-packages /var/lib/openstack
+    python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack
   COPY \
     (+requirements/upper-constraints.txt --RELEASE=${RELEASE}) \
     /upper-constraints.txt
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index 5f72712..93ec813 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -68,8 +68,8 @@
   heat_engine_cleaner: ghcr.io/vexxhost/atmosphere/heat:2023.2@sha256:1b4c0f4338fbc22828d032b27a0caf4c167a3a3c5c964d9c99efb4a68572e6e3
   heat_engine: ghcr.io/vexxhost/atmosphere/heat:2023.2@sha256:1b4c0f4338fbc22828d032b27a0caf4c167a3a3c5c964d9c99efb4a68572e6e3
   heat_purge_deleted: ghcr.io/vexxhost/atmosphere/heat:2023.2@sha256:1b4c0f4338fbc22828d032b27a0caf4c167a3a3c5c964d9c99efb4a68572e6e3
-  horizon_db_sync: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:4db3ed10fed0204a89f682c8cc0ea28bcd259e2d7537c7e51bcf9db69b1c7a9d
-  horizon: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:4db3ed10fed0204a89f682c8cc0ea28bcd259e2d7537c7e51bcf9db69b1c7a9d
+  horizon_db_sync: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:c1b0d1b55a1f0286445e6676123cf02e315bf362578d1169615630908b4d7851
+  horizon: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:c1b0d1b55a1f0286445e6676123cf02e315bf362578d1169615630908b4d7851
   ingress_nginx_controller: registry.k8s.io/ingress-nginx/controller:v1.1.1@sha256:e16123f3932f44a2bba8bc3cf1c109cea4495ee271d6d16ab99228b58766d3ab
   ingress_nginx_default_backend: registry.k8s.io/defaultbackend-amd64:1.5@sha256:4dc5e07c8ca4e23bddb3153737d7b8c556e5fb2f29c4558b7cd6e6df99c512c7
   ingress_nginx_kube_webhook_certgen: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:23a03c9c381fba54043d0f6148efeaf4c1ca2ed176e43455178b5c5ebf15ad70 # noqa: yaml[line-length]