From 1c6659efa3d83524f61c80ef426cc0f0c1fa4908 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Fri, 17 May 2024 15:24:08 +0200 Subject: [PATCH 1/3] Update Flask-appbuilder and gevent --- superset/constraints-3.1.0.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/superset/constraints-3.1.0.txt b/superset/constraints-3.1.0.txt index 75b1c7f9c..0735dcbf9 100644 --- a/superset/constraints-3.1.0.txt +++ b/superset/constraints-3.1.0.txt @@ -98,7 +98,8 @@ flask==2.2.5 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==4.3.10 +# Bumping to 4.3.11 to get rid of CVE-2024-25128 +flask-appbuilder==4.3.11 # via apache-superset flask-babel==1.0.0 # via flask-appbuilder @@ -134,7 +135,9 @@ geographiclib==1.52 # via geopy geopy==2.2.0 # via apache-superset -greenlet==2.0.2 +# Letting python decide which greenlet version to compile at +# since we diverge from the vendor to fix CVE's +# greenlet==3.0.0 # via # shillelagh # sqlalchemy @@ -383,7 +386,9 @@ zipp==3.15.0 # importlib-metadata # importlib-resources # from https://github.com/apache/superset/blob/3.1.0/requirements/docker.txt -gevent==22.10.2 +# Bumped to latest version to get rid of +# CVE-2023-41419 +gevent==24.2.1 # via -r requirements/docker.in psycopg2-binary==2.9.6 # via apache-superset From d722a725bf0c86dc3278759217e761881863e423 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Fri, 17 May 2024 15:31:16 +0200 Subject: [PATCH 2/3] Updating CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bfd19cca..fee341154 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ All notable changes to this project will be documented in this file. - hdfs: Exclude YARN and Mapreduce projects from build ([#667]). - stackable-base: Mitigate CVE-2023-37920 by removing e-Tugra root certificates ([#673]). - hdfs: Exclude unused jars and mitigate snappy-java CVEs by bumping dependency ([#682]). +- superset: Updating Flask-AppBuilder and gevent, remove greenlet from 3.1.0-constrains.txt to mitigate CVE-2024-25128 and CVE-2023-41419 ([#686]) ### Changed @@ -81,6 +82,7 @@ All notable changes to this project will be documented in this file. [#678]: https://github.com/stackabletech/docker-images/pull/678 [#679]: https://github.com/stackabletech/docker-images/pull/679 [#682]: https://github.com/stackabletech/docker-images/pull/682 +[#686]: https://github.com/stackabletech/docker-images/pull/686 ## [24.3.0] - 2024-03-20 From 6aba8d7a2b9d5d7e936c3d27583a0c092dc4862e Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Mon, 27 May 2024 09:54:22 +0200 Subject: [PATCH 3/3] Added versions we bumped from --- superset/constraints-3.1.0.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/superset/constraints-3.1.0.txt b/superset/constraints-3.1.0.txt index 0735dcbf9..b0cd6b393 100644 --- a/superset/constraints-3.1.0.txt +++ b/superset/constraints-3.1.0.txt @@ -98,7 +98,7 @@ flask==2.2.5 # flask-session # flask-sqlalchemy # flask-wtf -# Bumping to 4.3.11 to get rid of CVE-2024-25128 +# Bumping 4.3.10 -> 4.3.11 to get rid of CVE-2024-25128 flask-appbuilder==4.3.11 # via apache-superset flask-babel==1.0.0 @@ -137,7 +137,7 @@ geopy==2.2.0 # via apache-superset # Letting python decide which greenlet version to compile at # since we diverge from the vendor to fix CVE's -# greenlet==3.0.0 +# greenlet==2.0.2 # via # shillelagh # sqlalchemy @@ -386,7 +386,7 @@ zipp==3.15.0 # importlib-metadata # importlib-resources # from https://github.com/apache/superset/blob/3.1.0/requirements/docker.txt -# Bumped to latest version to get rid of +# Bumped 22.10.2 -> 24.2.1 version to get rid of # CVE-2023-41419 gevent==24.2.1 # via -r requirements/docker.in