diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c8ed5a83..a17be32c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ All notable changes to this project will be documented in this file. - ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]). - ci: Handle release builds in the same build workflows ([#913]). - hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]). +- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#919]). - jmx_exporter: Updated to a custom-built version of 1.0.1 to fix performance regressions ([#920]). ### Removed @@ -105,6 +106,7 @@ All notable changes to this project will be documented in this file. [#913]: https://github.com/stackabletech/docker-images/pull/913 [#914]: https://github.com/stackabletech/docker-images/pull/914 [#917]: https://github.com/stackabletech/docker-images/pull/917 +[#919]: https://github.com/stackabletech/docker-images/pull/919 [#920]: https://github.com/stackabletech/docker-images/pull/920 ## [24.7.0] - 2024-07-24 diff --git a/superset/Dockerfile b/superset/Dockerfile index 11d711b95..9a8d27a68 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -68,6 +68,13 @@ RUN python3 -m venv /stackable/app \ # by searching first under `TZPATH` (which is empty due to the point above) or for the tzdata python package. # That package is therefore added here (airflow has tzdata in its list of dependencies, but superset does not). tzdata \ + # We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135 + # Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f + # We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version + && if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \ + then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \ + && pip install gunicorn==22.0.0; \ + fi \ && pip install \ --no-cache-dir \ --upgrade \