chore(superset): Fix CVE-2024-1135 by upgrading gunicorn from 21.2.0 to 22.0.0

sbernauer · sbernauer · commit eaf0d8eb4484 · 2024-11-07T12:11:31.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,7 @@ All notable changes to this project will be documented in this file.
 - ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]).
 - ci: Handle release builds in the same build workflows ([#913]).
 - hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]).
+- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#XXX]).
 
 ### Removed
 
diff --git a/superset/Dockerfile b/superset/Dockerfile
@@ -68,6 +68,13 @@ RUN python3 -m venv /stackable/app \
         # by searching first under `TZPATH` (which is empty due to the point above) or for the tzdata python package.
         # That package is therefore added here (airflow has tzdata in its list of dependencies, but superset does not).
         tzdata \
+    # We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135
+    # Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
+    # We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
+    && if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \
+        then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \
+        && pip install gunicorn==22.0.0; \
+    fi \
     && pip install \
         --no-cache-dir \
         --upgrade \
