Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade to python 3.11 and fix dependency upgrades #681

Closed
wants to merge 2 commits into from
Closed

upgrade to python 3.11 and fix dependency upgrades #681

wants to merge 2 commits into from

Conversation

P4sca1
Copy link
Collaborator

@P4sca1 P4sca1 commented Oct 4, 2024

Changes

  • Upgrade to Python 3.11 to fix CVE-2023-36632 (High) and CVE-2023-27043 (Medium)
  • Don't install / upgrade wheel (installed via pyproject.toml)
  • Upgrade pip and setuptools version in venv. Otherwise the new versions are not applied to the final image layer. Fixes CVE-2022-40897 and CVE-2024-6345. Note that setuptools is only a build depdendency, but is still present at runtime, because the geoip2 package references a vulnerable version as a dependency.
  • Quote setuptools version. Previously, the version specifier was not applied and instead the output of the command was written to a file called =72.2.0. The > character was interpretet as a redirect operator.

Trivy Image scan results

Scanned using trivy image IMAGE --ignore-unfixed

Before

Python (python-pkg)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ pip (METADATA)        │ CVE-2023-5752  │ MEDIUM   │ fixed  │ 23.0.1            │ 23.3          │ pip: Mercurial configuration injectable in repo revision │
│                       │                │          │        │                   │               │ when installing via pip                                  │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5752                │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH     │        │ 65.5.0            │ 65.5.1        │ pypa-setuptools: Regular Expression Denial of Service    │
│                       │                │          │        │                   │               │ (ReDoS) in package_index.py                              │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-40897               │
│                       ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────┤
│                       │ CVE-2024-6345  │          │        │                   │ 70.0.0        │ pypa/setuptools: Remote code execution via download      │
│                       │                │          │        │                   │               │ functions in the package_index module in...              │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6345                │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

opt/bitnami/python (bitnami)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────┤
│ python  │ CVE-2023-36632 │ HIGH     │ fixed  │ 3.10.15-4         │ 3.11.4         │ python: RecursionError: maximum recursion depth exceeded │
│         │                │          │        │                   │                │ while calling a Python object                            │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-36632               │
│         ├────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────┤
│         │ CVE-2023-27043 │ MEDIUM   │        │                   │ 2.7.18, 3.11.0 │ python: Parsing errors in email/_parseaddr.py lead to    │
│         │                │          │        │                   │                │ incorrect value in email address...                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-27043               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────┘

After

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@P4sca1
Copy link
Collaborator Author

P4sca1 commented Oct 4, 2024

Superseded by #682

@P4sca1 P4sca1 closed this Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@P4sca1