superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

CVEs on 2.0.1 docker image

Open tooptoop4 opened this issue 3 years ago • 2 comments

i pulled docker image for 2.0.1rc4

findings: upgrade Pillow to 9.3.0 to resolve CVE-2022-30595, CVE-2022-45198, CVE-2022-45199 upgrade Flask-Caching to 1.11.0 to resolve CVE-2021-33026 upgrade Werkzeug to 2.1.1 to resolve CVE-2022-29361 upgrade aiohttp to 3.8.3 to resolve CVE-2022-33124 curl is also affected by CVE-2022-42916 , can it be removed from the image?

tooptoop4 avatar Nov 28 '22 05:11 tooptoop4

Thank you for pointing out these issues. 2.0.1 is close to fully baked, and resolves a number of issues already. I think these additional fixes will have to wait for a fast-follow 2.0.2 release and/or 2.1.0.

rusackas avatar Nov 29 '22 16:11 rusackas

We'll add these to the security roadmap, and have it on the agenda to tackle and discuss at the next Security working group meeting. Let me know if you have any interest in attending. Thanks again!

rusackas avatar Nov 29 '22 16:11 rusackas