[v1.7.x] images/ansible-operator/base.Dockerfile: pin pip3~=21.1 (#4878)

openshift-cherrypick-robot · estroz · web-flow · commit eef267f7e6a2 · 2021-05-05T11:20:44.000-07:00
Signed-off-by: Eric Stroczynski &lt;ericstroczynski@gmail.com&gt;

Co-authored-by: Eric Stroczynski &lt;ericstroczynski@gmail.com&gt;
diff --git a/changelog/fragments/pip3-21.1.yaml b/changelog/fragments/pip3-21.1.yaml
@@ -0,0 +1,4 @@
+entries:
+  - description: >
+      Pinned pip3 to 21.1 in the ansible-operator image to fix https://github.com/pypa/pip/pull/9827
+    kind: bugfix
diff --git a/images/ansible-operator/base.Dockerfile b/images/ansible-operator/base.Dockerfile
@@ -21,9 +21,11 @@ ENV PIP_NO_CACHE_DIR=1 \
     PIPENV_CLEAR=1
 # Ensure fresh metadata rather than cached metadata, install system and pip python deps,
 # and remove those not needed at runtime.
+# pip3~=21.1 fixes a vulnerability described in https://github.com/pypa/pip/pull/9827.
 RUN yum clean all && rm -rf /var/cache/yum/* \
   && yum update -y \
   && yum install -y libffi-devel openssl-devel python38-devel gcc python38-pip python38-setuptools \
+  && pip3 install --upgrade pip~=21.1.0 \
   && pip3 install pipenv==2020.11.15 \
   && pipenv install --deploy \
   && pipenv check \
