apache
superset 4.0.1 uses Gunicorn 21.2.0 with CVE => should update to 22.0.0
Bug description
the current superset 4.0.1 image has a CVE finding CVE-2024-1135
it should be updated to V22.0.0 (or newer)
How to reproduce the bug
download image from dockerhub V4.0.1 scan image
Screenshots/recordings
No response
Superset version
4.0.1
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
To address the CVE-2024-1135 security issue in the Superset 4.0.1 image by updating Gunicorn to version 22.0.0 or newer, you need to modify the Dockerfile and the pyproject.toml file. Here are the steps to update the necessary files:
Dockerfile
Update the Dockerfile to install Gunicorn 22.0.0. Here is the relevant snippet:
RUN --mount=type=cache,target=/root/.cache/pip \
apt-get update -qq && apt-get install -yqq --no-install-recommends \
build-essential \
&& pip install --upgrade setuptools pip \
&& pip install -r requirements/base.txt \
&& pip install gunicorn==22.0.0 \
&& apt-get autoremove -yqq --purge build-essential \
&& rm -rf /var/lib/apt/lists/*
pyproject.toml
Ensure that the pyproject.toml file specifies the correct version of Gunicorn:
dependencies = [
"gunicorn>=22.0.0; sys_platform != 'win32'",
]
These modifications ensure that Gunicorn 22.0.0 or newer is installed in the final image, addressing the CVE-2024-1135 security issue.
Details
Sources
- Dockerfile
- pyproject.toml
- superset-frontend/package.json
- superset-websocket/package.json
- .github/workflows/docker.yml
- .github/workflows/release.yml
- .github/workflows/tag-release.yml
- docs/docs/contributing/contributing.mdx
- CONTRIBUTING.md
- docs/docs/contributing/guidelines.mdx
About Dosu This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.
Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.
To continue the conversation, mention @dosu.
![dosubot[bot] avatar](https://avatars.githubusercontent.com/in/324583?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @nigzak. Please follow the instructions on Reporting Security Vulnerabilities. There's also this warning in the issue template:
🚨 Reporting a security issue: send an email to [email protected]. DO NOT USE GITHUB ISSUES TO REPORT SECURITY PROBLEMS.
Hi @michael-s-molina this is not a "unknown" or "new" CVE like I found a security bug. This is public visible to anyone who opens the image with docker scout.
Because of this it is not like a "confidential" or "critical" information as it is easy visible - also you see it if you push it to mostly any ECR repository as warning...
I have never ever pushed a "I found a new unknown security issue" in GIT like this - only like this known "you should update" infos. I tought in this case this is fine ... If you say I need to send it per e-mail - I can also make this - but as written it is not "secure" or hard to get this infos, it is very very simple and normally ALL users who use any image see this in the ECR scan in the repos (as example in AWS).
Thanks for the additional context @nigzak.
@dpgaspar do you think this can be a GitHub issue or should it be reported via [email protected]?
the bump was already merged to master here: https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
unfortunately our 4.0.1 had an upper constraint on 22
Hi @dpgaspar
thanks for this hint. There were more tickets closed with similar "issues" in 4.0.1 - in general it would still be good to now if tickets for this kind of things are "ok" or "nok" (as written: not "unknown or 0-day things" - I even only have made tickets for things I have seen there is a fix for ...)