From eaf0d8eb448413c507c3aad4b00f8207b2647d2e Mon Sep 17 00:00:00 2001
From: Sebastian Bernauer <sebastian.bernauer@stackable.tech>
Date: Thu, 7 Nov 2024 12:11:31 +0100
Subject: [PATCH 1/2] chore(superset): Fix CVE-2024-1135 by upgrading
 `gunicorn` from 21.2.0 to 22.0.0

---
 CHANGELOG.md        | 1 +
 superset/Dockerfile | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 93a278f7f..4fce3da8c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,7 @@ All notable changes to this project will be documented in this file.
 - ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]).
 - ci: Handle release builds in the same build workflows ([#913]).
 - hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]).
+- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#XXX]).
 
 ### Removed
 
diff --git a/superset/Dockerfile b/superset/Dockerfile
index 11d711b95..9a8d27a68 100644
--- a/superset/Dockerfile
+++ b/superset/Dockerfile
@@ -68,6 +68,13 @@ RUN python3 -m venv /stackable/app \
         # by searching first under `TZPATH` (which is empty due to the point above) or for the tzdata python package.
         # That package is therefore added here (airflow has tzdata in its list of dependencies, but superset does not).
         tzdata \
+    # We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135
+    # Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
+    # We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
+    && if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \
+        then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \
+        && pip install gunicorn==22.0.0; \
+    fi \
     && pip install \
         --no-cache-dir \
         --upgrade \

From 7da9a57133cfa12ecf14c6092a9891dc6999ee91 Mon Sep 17 00:00:00 2001
From: Sebastian Bernauer <sebastian.bernauer@stackable.tech>
Date: Thu, 7 Nov 2024 12:13:58 +0100
Subject: [PATCH 2/2] changelog

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4fce3da8c..8d1685dcc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,7 +38,7 @@ All notable changes to this project will be documented in this file.
 - ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]).
 - ci: Handle release builds in the same build workflows ([#913]).
 - hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]).
-- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#XXX]).
+- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#919]).
 
 ### Removed
 
@@ -102,6 +102,7 @@ All notable changes to this project will be documented in this file.
 [#912]: https://github.com/stackabletech/docker-images/pull/912
 [#913]: https://github.com/stackabletech/docker-images/pull/913
 [#914]: https://github.com/stackabletech/docker-images/pull/914
+[#919]: https://github.com/stackabletech/docker-images/pull/919
 
 ## [24.7.0] - 2024-07-24