Skip to content

Commit 812fdcf

Browse files
sbernauersbernauer
authored
chore(superset): Fix CVE-2024-1135 by upgrading gunicorn (#919)
* chore(superset): Fix CVE-2024-1135 by upgrading `gunicorn` from 21.2.0 to 22.0.0 * changelog
1 parent 6ab0d67 commit 812fdcf

File tree

2 files changed

+9
-0
lines changed

2 files changed

+9
-0
lines changed

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ All notable changes to this project will be documented in this file.
3939
- ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]).
4040
- ci: Handle release builds in the same build workflows ([#913]).
4141
- hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]).
42+
- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#919]).
4243
- jmx_exporter: Updated to a custom-built version of 1.0.1 to fix performance regressions ([#920]).
4344

4445
### Removed
@@ -107,6 +108,7 @@ All notable changes to this project will be documented in this file.
107108
[#913]: https://github.com/stackabletech/docker-images/pull/913
108109
[#914]: https://github.com/stackabletech/docker-images/pull/914
109110
[#917]: https://github.com/stackabletech/docker-images/pull/917
111+
[#919]: https://github.com/stackabletech/docker-images/pull/919
110112
[#920]: https://github.com/stackabletech/docker-images/pull/920
111113
[#921]: https://github.com/stackabletech/docker-images/pull/921
112114

superset/Dockerfile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,13 @@ RUN python3 -m venv /stackable/app \
6868
# by searching first under `TZPATH` (which is empty due to the point above) or for the tzdata python package.
6969
# That package is therefore added here (airflow has tzdata in its list of dependencies, but superset does not).
7070
tzdata \
71+
# We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135
72+
# Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
73+
# We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
74+
&& if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \
75+
then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \
76+
&& pip install gunicorn==22.0.0; \
77+
fi \
7178
&& pip install \
7279
--no-cache-dir \
7380
--upgrade \

0 commit comments

Comments
 (0)