Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

superset 4.0.1 uses werkzeug 3.0.1 with CVE => should update to 3.0.3 or newer #28623

Closed
3 tasks done
nigzak opened this issue May 21, 2024 · 2 comments
Closed
3 tasks done

superset 4.0.1 uses werkzeug 3.0.1 with CVE => should update to 3.0.3 or newer #28623

nigzak opened this issue May 21, 2024 · 2 comments
Labels
install:dependencies Installation - Dependencies

Comments

@nigzak
Copy link
Contributor

nigzak commented May 21, 2024

Bug description

the current 4.0.1 image has a high CVE finding with werkzeug
CVE-2024-34069

There should be made a update to 3.0.3 (or newer)

How to reproduce the bug

download 4.0.1 dockerhub image
scan image

Screenshots/recordings

No response

Superset version

4.0.1

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@dosubot DosuBot
Copy link

dosubot bot commented May 21, 2024
edited
Loading

To address the high-severity CVE-2024-34069 in the Apache Superset 4.0.1 Docker image, you can update the Werkzeug version to 3.0.3 or newer. Here are the steps to achieve this:

Steps to Update Werkzeug Version

  1. Modify requirements/base.txt:
    Update the requirements/base.txt file to specify the updated Werkzeug version.

    Werkzeug>=3.0.3

  2. Update the Dockerfile:
    Ensure the Dockerfile installs the updated requirements. Based on the provided Dockerfile.from_local_tarball, you should update the relevant section as follows:

    WORKDIR /home/superset/apache-superset-$VERSION
RUN pip install --upgrade setuptools pip \
    && pip install -r requirements/base.txt \
    && pip install --no-cache-dir .

Potential Conflicts

However, there are dependencies in the requirements/base.txt file that might conflict with Werkzeug version 3.0.3 or newer. Specifically, the flask package is listed as a dependency, and Flask 2.3.3 has a known compatibility issue with Werkzeug versions 3.0.3 or newer.

flask==2.3.3
    # via
    #   apache-superset
    #   flask-appbuilder
    #   flask-babel
    #   flask-caching
    #   flask-compress
    #   flask-jwt-extended
    #   flask-limiter
    #   flask-login
    #   flask-migrate
    #   flask-session
    #   flask-sqlalchemy
    #   flask-wtf

Flask 2.3.3 is compatible with Werkzeug up to version 2.x, but not with version 3.0.3 or newer. Additionally, the requirements/base.in file specifies werkzeug>=3.0.1, which could lead to conflicts with the Flask version specified.

Updating Documentation

To reflect this change, you should also update the relevant documentation:

  1. UPDATING.md:
    Include the change related to the Werkzeug dependency.

    - [9786](https://github.com/apache/superset/pull/9786): with the upgrade of `werkzeug` from version `0.16.0` to `1.0.1`, the `werkzeug.contrib.cache` module has been moved to a standalone package [cachelib](https://pypi.org/project/cachelib/). For example, to import the `RedisCache` class, please use the following import: `from cachelib.redis import RedisCache`.

  2. RELEASING/release-notes-1-1/README.md:
    Update to reflect this change.

    ## Breaking Changes and Full Changelog

- To see the complete changelog in this release, head to [CHANGELOG.MD](https://github.com/apache/superset/blob/master/CHANGELOG.md).
- You can find a list of backwards incompatible changes [here](https://github.com/apache/superset/blob/3d103e66fcaee42a6b4a42b2638e13d5e2208c3b/UPDATING.md).

  3. CHANGELOG/3.0.0.md:
    Ensure that the change in the Werkzeug dependency is noted here as well.

By following these steps, you can update the Werkzeug version to 3.0.3 or newer in the Apache Superset 4.0.1 Docker image to address the high-severity CVE-2024-34069. Be mindful of potential conflicts with other dependencies, particularly Flask, and update the relevant documentation to reflect these changes.

Details

Sources


About Dosu
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

@dosubot dosubot bot added the install:dependencies Installation - Dependencies label May 21, 2024
@michael-s-molina
Copy link
Member

michael-s-molina commented May 23, 2024
edited
Loading

Hi @nigzak. Please follow the instructions on Reporting Security Vulnerabilities. There's also this warning in the issue template:

🚨 Reporting a security issue: send an email to [email protected]. DO NOT USE GITHUB ISSUES TO REPORT SECURITY PROBLEMS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
install:dependencies Installation - Dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michael-s-molina @nigzak