missing redis-update in superset 4.0.1 => redis 4.6.0

[nigzak]

Bug description

redis was not updated in superset 4.0.1 as it was merged into master https://github.com/apache/superset/pull/27250

Because of this some scans show CVE finding which is fixed with 4.6.0 CVE-2024-34069⁠

Please merge this also in a next 4.x update

How to reproduce the bug

pull image from dockerhub scan image

Screenshots/recordings

No response

Superset version

4.0.1

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

To address the issue of Redis not being updated to version 4.6.0 in Apache Superset 4.0.1, despite the update being merged into the master branch, we need to ensure that the changes from PR #27250 are included in the next 4.x release.

Steps to Ensure Redis 4.6.0 Update in the Next Release

1. Verify the Changes in PR #27250:

   • Ensure that the changes in the PR correctly update Redis to version 4.6.0.
   • Confirm that the commit uninstalls the previous version of Redis and installs version 4.6.0.

2. Check the Dockerfile and Requirements:

   • Ensure that the Dockerfile and requirements files reflect the update to Redis 4.6.0.
   • The Dockerfile should include the necessary commands to install Redis 4.6.0.

3. Update the Release Branch:

   • Merge the changes from the master branch into the release branch for the next 4.x release.
   • Ensure that the release branch includes the commit from PR #27250.

4. Run CI/CD Pipeline:

   • Verify that the CI/CD pipeline runs successfully with the updated Redis version.
   • Ensure that all tests pass, including those that involve Redis as a caching backend and message broker for Celery tasks.

5. Document the Update:

   • Update the CHANGELOG.md file to include the Redis 4.6.0 update and mention the fix for CVE-2024-34069.
   • Ensure that the release notes for the next 4.x release clearly document the update to Redis 4.6.0.

By following these steps, we can ensure that the Redis 4.6.0 update is included in the next 4.x release of Apache Superset, addressing the CVE-2024-34069 vulnerability.

Details

Sources

• pyproject.toml
• docker/pythonpath_dev/superset_config.py
• Dockerfile
• .github/workflows/superset-python-integrationtest.yml
• .github/SECURITY.md
• docs/docs/security/cves.mdx
• docker-compose.yml
• CHANGELOG/4.0.0.md
• CHANGELOG/3.0.0.md
• RELEASING/release-notes-2-0/changelog.md
• CHANGELOG/2.0.0.md
• superset/config.py
• tests/integration_tests/superset_test_config_thumbnails.py

About Dosu This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

[nigzak]

close as it seems it is not wanted to highlight well known bugs/cve's in images which are shown in public repos/docker scout

FYI @michael-s-molina this is the same behaviour as the other ones you closed - so I closed this also.