data.gov icon indicating copy to clipboard operation
data.gov copied to clipboard
verified publisher icon GSA

Update Werkzeug

Open nickumia-reisys opened this issue 3 years ago • 9 comments

Please keep any sensitive details in Google Drive.

Date of report: 02/15/2023 Severity: High Due date: 03/15/2023

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

Brief description

From our automated snyk scans, the above vulnerability in the werkzeug package was highlighted. After an investigation, it seems like there is no path forward to patch it. The upgrade of werkzeug cascades into a bunch of breaking versions with Flask and Jinja2 and other packages. There is an open issue about running CKAN with the latest version of Flask and the patch release of CKAN 2.9.8 still references Flask==1.1.1.

There is an open ticket in upstream CKAN that talk about the work related to this upgrade

  • https://github.com/ckan/ckan/issues/7083

There was an old patch that was completed in 11/2022, but Snyk says that the new vulnerability requires a newer release,

  • https://github.com/ckan/ckan/pull/7207

Other list of references:

  • https://stackoverflow.com/a/73109165
  • https://github.com/pallets/werkzeug/blob/2.2.3/src/werkzeug/wrappers/init.py
  • https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-3319936
  • https://github.com/ckan/ckan/blob/ckan-2.10.0/requirements.in
  • https://github.com/ckan/ckan/blob/ckan-2.9.8/requirements.in

nickumia-reisys avatar Feb 21 '23 14:02 nickumia-reisys

There is a better chance that we'll be able to patch this vulnerability if we are on CKAN 2.10.0 (but there may still be issues).

nickumia-reisys avatar Feb 21 '23 14:02 nickumia-reisys

See efforts to upgrade in the following two PRs:

  • https://github.com/GSA/inventory-app/pull/546/
  • https://github.com/GSA/catalog.data.gov/pull/786

nickumia-reisys avatar Feb 21 '23 14:02 nickumia-reisys

Adding a March milestone to this so that we will look at it again, but given the discussion today at sync this seems like it has to await the CKAN 2.10 update which is #4209

hkdctol avatar Feb 21 '23 20:02 hkdctol

Blocked by CKAN releasing compatibility changes to core code. See PR for details:

  • https://github.com/GSA/inventory-app/pull/622

nickumia-reisys avatar Jul 10 '23 14:07 nickumia-reisys

See comment

  • https://github.com/GSA/catalog.data.gov/pull/989#issuecomment-1744961644

nickumia-reisys avatar Oct 03 '23 13:10 nickumia-reisys

Conversation with CKAN core team on release schedule. No new developments, but at least they are aware that we are awaiting these fixes.

https://github.com/ckan/ckan/discussions/6381

btylerburton avatar Oct 05 '23 17:10 btylerburton

ckan upstream ticket

rshewitt avatar May 07 '24 17:05 rshewitt

followed up with CKAN

gujral-rei avatar Jun 25 '24 12:06 gujral-rei

CKAN 2.11.0 fix ths issue with Werkzeug[watchdog]==3.0.3 in the requirements.txt.

FuhuXia avatar Sep 17 '24 19:09 FuhuXia

Should be fixed when this is released: https://github.com/GSA/catalog.data.gov/pull/1570/files#diff-c4855a6cce1e4953ffdf0b8fc9252c9394317e4d2c70404a67b925e4454d4010L111

jbrown-xentity avatar Mar 21 '25 17:03 jbrown-xentity

fixed.

FuhuXia avatar Mar 25 '25 13:03 FuhuXia