chore(superset): Fix CVE-2024-1135 by upgrading gunicorn

CHANGELOG.md

@@ -38,6 +38,7 @@ All notable changes to this project will be documented in this file.
 - ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]).
 - ci: Handle release builds in the same build workflows ([#913]).
 - hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]).
+- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#919]).
 
 ### Removed
 
@@ -101,6 +102,7 @@ All notable changes to this project will be documented in this file.
 [#912]: https://github.com/stackabletech/docker-images/pull/912
 [#913]: https://github.com/stackabletech/docker-images/pull/913
 [#914]: https://github.com/stackabletech/docker-images/pull/914
+[#919]: https://github.com/stackabletech/docker-images/pull/919
 
 ## [24.7.0] - 2024-07-24
 

superset/Dockerfile

@@ -68,6 +68,13 @@ RUN python3 -m venv /stackable/app \
         # by searching first under `TZPATH` (which is empty due to the point above) or for the tzdata python package.
         # That package is therefore added here (airflow has tzdata in its list of dependencies, but superset does not).
         tzdata \
+    # We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135
+    # Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
+    # We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
+    && if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \
+        then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \
+        && pip install gunicorn==22.0.0; \
+    fi \
     && pip install \
         --no-cache-dir \
         --upgrade \