Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update superset 3.1.0 dependency "pillow 9.5.0" #26990

Closed
3 tasks done
nigzak opened this issue Feb 2, 2024 · 5 comments
Closed
3 tasks done

update superset 3.1.0 dependency "pillow 9.5.0" #26990

nigzak opened this issue Feb 2, 2024 · 5 comments

Comments

@nigzak
Copy link
Contributor

nigzak commented Feb 2, 2024
edited
Loading

Bug description

pillow 9.5.0 has some high findings

https://scout.docker.com/vulnerabilities/id/GHSA-56pw-mpj4-fxww?s=github&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink
CVSS = N/A
Fixed with 10.0.1

https://scout.docker.com/vulnerabilities/id/CVE-2023-50447?s=github&n=pillow&t=pypi&vr=%3C10.2.0&utm_source=desktop&utm_medium=ExternalLink
CVSS = 8.1
Fixed with 10.2.0

https://scout.docker.com/vulnerabilities/id/CVE-2023-4863?s=github&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink
CVSS = 8.8
Fixed with 10.0.1

https://scout.docker.com/vulnerabilities/id/CVE-2023-44271?s=github&n=pillow&t=pypi&vr=%3C10.0.0&utm_source=desktop&utm_medium=ExternalLink
CVSS = 7.5
Fixed with 10.0.0

https://scout.docker.com/vulnerabilities/id/PYSEC-2023-175?s=pypa&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink
CVSS = N/A
Fixed with 10.0.0

https://scout.docker.com/vulnerabilities/id/GMS-2023-3137?s=gitlab&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink
CVSS = N/A
Fixed with 10.0.1

=> to get rid of all of them update to 10.2.0 (or newer) should be done

How to reproduce the bug

download image of superset 3.1.0
do docker scout image scan

Screenshots/recordings

image

Superset version

3.1.0

Python version

3.9

Node version

16

Browser

Chrome

Additional context

V3.0.3 is also affected

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@nigzak nigzak changed the title update superset 3.1.0 dependency "pillow 9.5.0" because of view security high findings update superset 3.1.0 dependency "pillow 9.5.0" Feb 2, 2024
@sfirke
Copy link
Member

sfirke commented Feb 2, 2024

Hm I thought this PR bumped pillow to 10.0: #25931 It should be reflected in 3.1.0. Is it not?

@sfirke
Copy link
Member

sfirke commented Feb 5, 2024

Yes that PR is included in 3.1.0: https://github.com/apache/superset/blob/3.1.0/CHANGELOG.md

@nigzak
Copy link
Contributor Author

nigzak commented Feb 12, 2024

I am not sure, if it is inside why is docker scout showing that it is problematic?
Pulled today via "docker pull apache/superset:3.1.0" and open in scout still shows 9.5.0

image

@nigzak
Copy link
Contributor Author

nigzak commented Feb 21, 2024
edited
Loading

superset 3.1.1 seems NOT to be affected

image

@rusackas
Copy link
Member

superset 3.1.1 seems NOT to be affected

It sounds like we're safe to close this then, since the PR is also included in 3.0.3 and 3.0.4, or both currently supported Minor/Major releases of Superset

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rusackas @dpgaspar @sfirke @nigzak