superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

update superset 3.1.0 dependency "pillow 9.5.0"

Open nigzak opened this issue 1 year ago • 3 comments

Bug description

pillow 9.5.0 has some high findings

https://scout.docker.com/vulnerabilities/id/GHSA-56pw-mpj4-fxww?s=github&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink CVSS = N/A Fixed with 10.0.1

https://scout.docker.com/vulnerabilities/id/CVE-2023-50447?s=github&n=pillow&t=pypi&vr=%3C10.2.0&utm_source=desktop&utm_medium=ExternalLink CVSS = 8.1 Fixed with 10.2.0

https://scout.docker.com/vulnerabilities/id/CVE-2023-4863?s=github&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink CVSS = 8.8 Fixed with 10.0.1

https://scout.docker.com/vulnerabilities/id/CVE-2023-44271?s=github&n=pillow&t=pypi&vr=%3C10.0.0&utm_source=desktop&utm_medium=ExternalLink CVSS = 7.5 Fixed with 10.0.0

https://scout.docker.com/vulnerabilities/id/PYSEC-2023-175?s=pypa&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink CVSS = N/A Fixed with 10.0.0

https://scout.docker.com/vulnerabilities/id/GMS-2023-3137?s=gitlab&n=pillow&t=pypi&vr=%3C10.0.1&utm_source=desktop&utm_medium=ExternalLink CVSS = N/A Fixed with 10.0.1

=> to get rid of all of them update to 10.2.0 (or newer) should be done

How to reproduce the bug

download image of superset 3.1.0 do docker scout image scan

Screenshots/recordings

image

Superset version

3.1.0

Python version

3.9

Node version

16

Browser

Chrome

Additional context

V3.0.3 is also affected

Checklist

  • [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

nigzak avatar Feb 02 '24 08:02 nigzak

Hm I thought this PR bumped pillow to 10.0: https://github.com/apache/superset/pull/25931 It should be reflected in 3.1.0. Is it not?

sfirke avatar Feb 02 '24 18:02 sfirke

Yes that PR is included in 3.1.0: https://github.com/apache/superset/blob/3.1.0/CHANGELOG.md

sfirke avatar Feb 05 '24 15:02 sfirke

I am not sure, if it is inside why is docker scout showing that it is problematic? Pulled today via "docker pull apache/superset:3.1.0" and open in scout still shows 9.5.0

image

nigzak avatar Feb 12 '24 13:02 nigzak

superset 3.1.1 seems NOT to be affected

image

nigzak avatar Feb 21 '24 10:02 nigzak

superset 3.1.1 seems NOT to be affected

It sounds like we're safe to close this then, since the PR is also included in 3.0.3 and 3.0.4, or both currently supported Minor/Major releases of Superset

rusackas avatar Feb 21 '24 16:02 rusackas