docker-stacks icon indicating copy to clipboard operation
docker-stacks copied to clipboard
verified publisher icon jupyter

R v4.4.0 needed for r-notebooks due to security vulnerability

Open bryancquach opened this issue 1 year ago • 3 comments

What docker image(s) is this feature applicable to?

r-notebook

What change(s) are you proposing?

Update Dockerfile to install R v4.4.0.

How does this affect the user?

A security vulnerability was identified for versions of R <4.4.0. Consequently, the most recent versions of some CRAN packages like Matrix and MASS now require R versions >=4.4.0. These packages are dependencies for many popular R packages such as tidyverse. Providing an updated R version will circumvent the need to resolve a potentially long list of common dependencies that will need to be explicitly installed and resolved prior to installing an R package.

Anything else?

No response

bryancquach avatar May 01 '24 17:05 bryancquach

datascience-notebook also needs to update R.

massongit avatar May 02 '24 10:05 massongit

Note - we don't pin any specific R version in our images and images are rebuilt weekly. So, there is nothing to do within this project - as soon all the dependencies are updated, new R version will be installed automatically.

Providing an updated R version will circumvent the need to resolve a potentially long list of common dependencies that will need to be explicitly installed and resolved prior to installing an R package.

This is true. If you want this to be resolved asap, I highly suggest to help dependent projects to update (this also includes working on recipes in conda-forge).

mathbunnyru avatar May 02 '24 10:05 mathbunnyru

Btw, conda-forge team is working on updating r-base to 4.4.0 (it has to be done first): https://github.com/conda-forge/r-base-feedstock/pull/297

mathbunnyru avatar May 05 '24 10:05 mathbunnyru

conda-forge team is working on updating r-base to 4.4.0

It looks like this was merged upstream back in June.

vwbusguy avatar Jul 30 '24 18:07 vwbusguy

conda-forge team is working on updating r-base to 4.4.0

It looks like this was merged upstream back in June.

Yes, but it won't be installed until all the related packages are updated to be built with the new version, which might take a while

mathbunnyru avatar Jul 30 '24 18:07 mathbunnyru

We applied the patch (no promises in RDS-loaded objects) to all R versions 4.1, 4.2, 4.3, 4.4. The latest builds of all those should be good.

(Conda Forge R Team member)

mfansler avatar Jul 30 '24 18:07 mfansler

Yes, but it won't be installed until all the related packages are updated to be built with the new version, which might take a while

Makes sense. It looks like there's a tracker for that upstream here (unless these are Windows specific?):

https://conda-forge.org/status/migration/?name=r-base44_and_m2w64-ucrt

vwbusguy avatar Jul 30 '24 18:07 vwbusguy

We applied the patch (no promises in RDS-loaded objects) to all R versions 4.1, 4.2, 4.3, 4.4. The latest builds of all those should be good.

(Conda Forge R Team member)

I've just checked our latest builds:

  1. aarch64 r-notebook: https://github.com/jupyter/docker-stacks/wiki/aarch64-default-r-notebook-7f8cdf851ab9
  2. aarch64 r-notebook: https://github.com/jupyter/docker-stacks/wiki/x86_64-default-r-notebook-7f8cdf851ab9

Both include the latest builds of r-base for version 4.3.3: https://anaconda.org/conda-forge/r-base/files

This issue is about having a security vulnerability, and it seems to be fixed for old R versions as mentioned by @mfansler. So, I'm closing it.

About switching to v4.4 - there is nothing to change in this project to update to a newer version, when all dependencies are ready, our automatic weekly rebuild of all the images will do the job.

mathbunnyru avatar Aug 19 '24 16:08 mathbunnyru