From 4835ae7648f4d344a3777820b5f90d177386d313 Mon Sep 17 00:00:00 2001 From: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> Date: Mon, 11 Dec 2023 15:43:53 +0000 Subject: [PATCH 1/8] [Anaconda] Update aiohttp due to GHSA-gfw2-4jvh-wgfg:aiohttp --- src/anaconda/.devcontainer/Dockerfile | 4 ++-- src/anaconda/test-project/test.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index 5e48c7e8c..4b197e37d 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -14,8 +14,8 @@ RUN conda install \ requests=2.31.0 \ # https://github.com/advisories/GHSA-f865-m6cq-j9vx mpmath=1.3.0 \ - # https://github.com/advisories/GHSA-45c4-8wx5-qw6w - aiohttp=3.8.5 \ + # https://github.com/advisories/GHSA-gfw2-4jvh-wgfg + aiohttp=3.8.6 \ # https://github.com/advisories/GHSA-j7hp-h8jx-5ppr pillow=10.0.1 \ # https://github.com/advisories/GHSA-v845-jxx5-vc9f diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index baf951019..b197e1121 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -43,7 +43,7 @@ checkPythonPackageVersion "requests" "2.31.0" checkPythonPackageVersion "cryptography" "41.0.3" checkPythonPackageVersion "transformers" "4.30.0" checkPythonPackageVersion "mpmath" "1.3.0" -checkPythonPackageVersion "aiohttp" "3.8.5" +checkPythonPackageVersion "aiohttp" "3.8.6" checkPythonPackageVersion "jupyter_server" "2.7.2" checkPythonPackageVersion "tornado" "6.3.3" @@ -52,7 +52,7 @@ checkCondaPackageVersion "cryptography" "41.0.3" checkCondaPackageVersion "requests" "2.31.0" checkCondaPackageVersion "pygments" "2.15.1" checkCondaPackageVersion "mpmath" "1.3.0" -checkCondaPackageVersion "aiohttp" "3.8.5" +checkCondaPackageVersion "aiohttp" "3.8.6" checkCondaPackageVersion "pillow" "10.0.1" checkCondaPackageVersion "urllib3" "1.26.17" From 1f9d03a522d52b449808567b3475dae23b0e6d11 Mon Sep 17 00:00:00 2001 From: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> Date: Thu, 14 Dec 2023 12:09:17 +0530 Subject: [PATCH 2/8] [Anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability (#889) * [Anaconda] Update aiohttp due to GHSA-gfw2-4jvh-wgfg:aiohttp * [anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability * Update Dockerfile --- src/anaconda/.devcontainer/Dockerfile | 6 +++--- src/anaconda/test-project/test.sh | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index b7fcc8857..8b6853516 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -5,9 +5,9 @@ RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1 # Temporary: Upgrade python packages due to mentioned CVEs # They are installed by the base image (continuumio/anaconda3) which does not have the patch. -RUN conda install \ - # https://github.com/advisories/GHSA-gfw2-4jvh-wgfg - aiohttp=3.8.6 \ +RUN conda install \ + # https://github.com/advisories/GHSA-q3qx-c6g2-7pw2 + aiohttp=3.9.0 \ # https://github.com/advisories/GHSA-j7hp-h8jx-5ppr pillow=10.0.1 \ # https://github.com/advisories/GHSA-v845-jxx5-vc9f diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index b197e1121..fb46158d9 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -43,7 +43,7 @@ checkPythonPackageVersion "requests" "2.31.0" checkPythonPackageVersion "cryptography" "41.0.3" checkPythonPackageVersion "transformers" "4.30.0" checkPythonPackageVersion "mpmath" "1.3.0" -checkPythonPackageVersion "aiohttp" "3.8.6" +checkPythonPackageVersion "aiohttp" "3.9.0" checkPythonPackageVersion "jupyter_server" "2.7.2" checkPythonPackageVersion "tornado" "6.3.3" @@ -52,7 +52,7 @@ checkCondaPackageVersion "cryptography" "41.0.3" checkCondaPackageVersion "requests" "2.31.0" checkCondaPackageVersion "pygments" "2.15.1" checkCondaPackageVersion "mpmath" "1.3.0" -checkCondaPackageVersion "aiohttp" "3.8.6" +checkCondaPackageVersion "aiohttp" "3.9.0" checkCondaPackageVersion "pillow" "10.0.1" checkCondaPackageVersion "urllib3" "1.26.17" From d7bd6103585b3ea377d182ccdedac460ce8b9b19 Mon Sep 17 00:00:00 2001 From: bhupendra-vaishnav <148317470+bhupendra-vaishnav@users.noreply.github.com> Date: Thu, 14 Dec 2023 14:47:22 -0700 Subject: [PATCH 3/8] [anaconda] Python (Pip) Security Update for pyarrow (GHSA-5wvp-7f3h-6wmm) (#893) * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * [Anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability (#889) * [Anaconda] Update aiohttp due to GHSA-gfw2-4jvh-wgfg:aiohttp * [anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability * Update Dockerfile * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * removed package-lock.json as its not require --------- Co-authored-by: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> --- src/anaconda/.devcontainer/Dockerfile | 4 +++- src/anaconda/test-project/test.sh | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index 8b6853516..9823b0c31 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -29,7 +29,9 @@ RUN python3 -m pip install --upgrade \ # https://github.com/advisories/GHSA-qppv-j76h-2rpx tornado==6.3.3 \ # https://github.com/advisories/GHSA-r726-vmfq-j9j3 - jupyter_server==2.7.2 + jupyter_server==2.7.2 \ + # https://github.com/advisories/GHSA-5wvp-7f3h-6wmm + pyarrow==14.0.1 # Reset and copy updated files with updated privs to keep image size down FROM mcr.microsoft.com/devcontainers/base:1-bullseye diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index fb46158d9..7e8890667 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -46,6 +46,7 @@ checkPythonPackageVersion "mpmath" "1.3.0" checkPythonPackageVersion "aiohttp" "3.9.0" checkPythonPackageVersion "jupyter_server" "2.7.2" checkPythonPackageVersion "tornado" "6.3.3" +checkPythonPackageVersion "pyarrow" "14.0.1" checkCondaPackageVersion "pyopenssl" "23.2.0" checkCondaPackageVersion "cryptography" "41.0.3" @@ -55,6 +56,7 @@ checkCondaPackageVersion "mpmath" "1.3.0" checkCondaPackageVersion "aiohttp" "3.9.0" checkCondaPackageVersion "pillow" "10.0.1" checkCondaPackageVersion "urllib3" "1.26.17" +checkCondaPackageVersion "pyarrow" "14.0.1" check "conda-update-conda" bash -c "conda update -y conda" check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow" From 2359bd2d0d943d2314a572a35ec8bb7d0159f289 Mon Sep 17 00:00:00 2001 From: Josh Abernathy Date: Tue, 19 Dec 2023 22:48:12 -0500 Subject: [PATCH 4/8] Remove deprecated Ruby extension (#894) * Replace deprecated Ruby extension * Remove the extension since the feature is already installing it * Update devcontainer.json --- src/ruby/.devcontainer/devcontainer.json | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/ruby/.devcontainer/devcontainer.json b/src/ruby/.devcontainer/devcontainer.json index 8d32f49e3..2bd2f7f5d 100644 --- a/src/ruby/.devcontainer/devcontainer.json +++ b/src/ruby/.devcontainer/devcontainer.json @@ -18,22 +18,6 @@ "ppa": "false" } }, - // Configure tool-specific properties. - "customizations": { - // Configure properties specific to VS Code. - "vscode": { - // Add the IDs of extensions you want installed when the container is created. - "extensions": [ - "rebornix.Ruby" - ] - } - }, - // Use 'forwardPorts' to make a list of ports inside the container available locally. - // "forwardPorts": [], - - // Use 'postCreateCommand' to run commands after the container is created. - // "postCreateCommand": "ruby --version", - // Set `remoteUser` to `root` to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root. "remoteUser": "vscode" } From 5e9f9ae17cc154c83810e2de71a4715883c8b7ad Mon Sep 17 00:00:00 2001 From: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> Date: Mon, 25 Dec 2023 11:34:37 +0000 Subject: [PATCH 5/8] [Anaconda] Address GHSA-jfhm-5ghh-2f97; GHSA-94vc-p8w7-5p49; GHSA-v68g-wm8c-6x7j vulnerability --- src/anaconda/.devcontainer/Dockerfile | 10 ++++++++-- src/anaconda/test-project/test.sh | 7 ++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index 9823b0c31..14d8908b1 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -11,7 +11,7 @@ RUN conda install \ # https://github.com/advisories/GHSA-j7hp-h8jx-5ppr pillow=10.0.1 \ # https://github.com/advisories/GHSA-v845-jxx5-vc9f - urllib3==1.26.18 + urllib3==1.26.18 RUN python3 -m pip install --upgrade \ # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797 @@ -31,7 +31,13 @@ RUN python3 -m pip install --upgrade \ # https://github.com/advisories/GHSA-r726-vmfq-j9j3 jupyter_server==2.7.2 \ # https://github.com/advisories/GHSA-5wvp-7f3h-6wmm - pyarrow==14.0.1 + pyarrow==14.0.1 \ + # https://github.com/advisories/GHSA-jfhm-5ghh-2f97 + cryptography==41.0.6 \ + # https://github.com/advisories/GHSA-v68g-wm8c-6x7j + transformers==4.36.0 \ + # https://github.com/advisories/GHSA-94vc-p8w7-5p49 + imagecodecs==2023.9.18 # Reset and copy updated files with updated privs to keep image size down FROM mcr.microsoft.com/devcontainers/base:1-bullseye diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index 7e8890667..2329f3048 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -40,16 +40,17 @@ checkPythonPackageVersion "nbconvert" "6.5.1" checkPythonPackageVersion "werkzeug" "2.2.3" checkPythonPackageVersion "certifi" "2022.12.07" checkPythonPackageVersion "requests" "2.31.0" -checkPythonPackageVersion "cryptography" "41.0.3" -checkPythonPackageVersion "transformers" "4.30.0" +checkPythonPackageVersion "cryptography" "41.0.6" +checkPythonPackageVersion "transformers" "4.36.0" checkPythonPackageVersion "mpmath" "1.3.0" checkPythonPackageVersion "aiohttp" "3.9.0" checkPythonPackageVersion "jupyter_server" "2.7.2" checkPythonPackageVersion "tornado" "6.3.3" checkPythonPackageVersion "pyarrow" "14.0.1" +checkPythonPackageVersion "imagecodecs" "2023.9.18" checkCondaPackageVersion "pyopenssl" "23.2.0" -checkCondaPackageVersion "cryptography" "41.0.3" +checkCondaPackageVersion "cryptography" "41.0.6" checkCondaPackageVersion "requests" "2.31.0" checkCondaPackageVersion "pygments" "2.15.1" checkCondaPackageVersion "mpmath" "1.3.0" From a92218e6fd17779e7fa119ac5030c7ce5874066a Mon Sep 17 00:00:00 2001 From: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> Date: Tue, 26 Dec 2023 02:16:43 +0000 Subject: [PATCH 6/8] [Anaconda] Address Cryptography_GHSA-jfhm-5ghh-2f97 vulnerability --- src/anaconda/.devcontainer/Dockerfile | 6 +----- src/anaconda/test-project/test.sh | 2 -- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index 14d8908b1..2352fc050 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -33,11 +33,7 @@ RUN python3 -m pip install --upgrade \ # https://github.com/advisories/GHSA-5wvp-7f3h-6wmm pyarrow==14.0.1 \ # https://github.com/advisories/GHSA-jfhm-5ghh-2f97 - cryptography==41.0.6 \ - # https://github.com/advisories/GHSA-v68g-wm8c-6x7j - transformers==4.36.0 \ - # https://github.com/advisories/GHSA-94vc-p8w7-5p49 - imagecodecs==2023.9.18 + cryptography==41.0.6 # Reset and copy updated files with updated privs to keep image size down FROM mcr.microsoft.com/devcontainers/base:1-bullseye diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index 2329f3048..b1d734b1c 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -41,13 +41,11 @@ checkPythonPackageVersion "werkzeug" "2.2.3" checkPythonPackageVersion "certifi" "2022.12.07" checkPythonPackageVersion "requests" "2.31.0" checkPythonPackageVersion "cryptography" "41.0.6" -checkPythonPackageVersion "transformers" "4.36.0" checkPythonPackageVersion "mpmath" "1.3.0" checkPythonPackageVersion "aiohttp" "3.9.0" checkPythonPackageVersion "jupyter_server" "2.7.2" checkPythonPackageVersion "tornado" "6.3.3" checkPythonPackageVersion "pyarrow" "14.0.1" -checkPythonPackageVersion "imagecodecs" "2023.9.18" checkCondaPackageVersion "pyopenssl" "23.2.0" checkCondaPackageVersion "cryptography" "41.0.6" From 79e35509642750de3e0a068ca5c47cb7d2d765e3 Mon Sep 17 00:00:00 2001 From: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> Date: Wed, 27 Dec 2023 13:47:56 +0000 Subject: [PATCH 7/8] [Anaconda] Fetched cryptography package from default conda channel --- src/anaconda/.devcontainer/Dockerfile | 8 ++++---- src/anaconda/test-project/test.sh | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index 2352fc050..bf03c1afd 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -11,7 +11,9 @@ RUN conda install \ # https://github.com/advisories/GHSA-j7hp-h8jx-5ppr pillow=10.0.1 \ # https://github.com/advisories/GHSA-v845-jxx5-vc9f - urllib3==1.26.18 + urllib3==1.26.18 \ + # https://github.com/advisories/GHSA-jfhm-5ghh-2f97 + cryptography==41.0.7 RUN python3 -m pip install --upgrade \ # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797 @@ -31,9 +33,7 @@ RUN python3 -m pip install --upgrade \ # https://github.com/advisories/GHSA-r726-vmfq-j9j3 jupyter_server==2.7.2 \ # https://github.com/advisories/GHSA-5wvp-7f3h-6wmm - pyarrow==14.0.1 \ - # https://github.com/advisories/GHSA-jfhm-5ghh-2f97 - cryptography==41.0.6 + pyarrow==14.0.1 # Reset and copy updated files with updated privs to keep image size down FROM mcr.microsoft.com/devcontainers/base:1-bullseye diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index b1d734b1c..484455a7c 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -40,7 +40,8 @@ checkPythonPackageVersion "nbconvert" "6.5.1" checkPythonPackageVersion "werkzeug" "2.2.3" checkPythonPackageVersion "certifi" "2022.12.07" checkPythonPackageVersion "requests" "2.31.0" -checkPythonPackageVersion "cryptography" "41.0.6" +checkPythonPackageVersion "cryptography" "41.0.7" +checkPythonPackageVersion "transformers" "4.30.0" checkPythonPackageVersion "mpmath" "1.3.0" checkPythonPackageVersion "aiohttp" "3.9.0" checkPythonPackageVersion "jupyter_server" "2.7.2" @@ -48,7 +49,7 @@ checkPythonPackageVersion "tornado" "6.3.3" checkPythonPackageVersion "pyarrow" "14.0.1" checkCondaPackageVersion "pyopenssl" "23.2.0" -checkCondaPackageVersion "cryptography" "41.0.6" +checkCondaPackageVersion "cryptography" "41.0.7" checkCondaPackageVersion "requests" "2.31.0" checkCondaPackageVersion "pygments" "2.15.1" checkCondaPackageVersion "mpmath" "1.3.0" From a035ea94643c6451ad3181be44b47b7e8e8f637b Mon Sep 17 00:00:00 2001 From: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> Date: Thu, 4 Jan 2024 02:44:02 +0530 Subject: [PATCH 8/8] [Anaconda] Update transformers pkg due to GHSA-v68g-wm8c-6x7j vulnerability (#906) * [Anaconda] Update aiohttp due to GHSA-gfw2-4jvh-wgfg:aiohttp * [Anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability (#889) * [Anaconda] Update aiohttp due to GHSA-gfw2-4jvh-wgfg:aiohttp * [anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability * Update Dockerfile * [anaconda] Python (Pip) Security Update for pyarrow (GHSA-5wvp-7f3h-6wmm) (#893) * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * [Anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability (#889) * [Anaconda] Update aiohttp due to GHSA-gfw2-4jvh-wgfg:aiohttp * [anaconda] Address GHSA-q3qx-c6g2-7pw2 vulnerability * Update Dockerfile * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * Updated pyarrow package to fix GHSA-5wvp-7f3h-6wmm * removed package-lock.json as its not require --------- Co-authored-by: gauravsaini04 <147703805+gauravsaini04@users.noreply.github.com> * Remove deprecated Ruby extension (#894) * Replace deprecated Ruby extension * Remove the extension since the feature is already installing it * Update devcontainer.json * [Anaconda] Address Transformers GHSA-v68g-wm8c-6x7j vulnerability --------- Co-authored-by: bhupendra-vaishnav <148317470+bhupendra-vaishnav@users.noreply.github.com> Co-authored-by: Josh Abernathy --- src/anaconda/.devcontainer/Dockerfile | 4 +++- src/anaconda/test-project/test.sh | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index bf03c1afd..618d0d243 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -33,7 +33,9 @@ RUN python3 -m pip install --upgrade \ # https://github.com/advisories/GHSA-r726-vmfq-j9j3 jupyter_server==2.7.2 \ # https://github.com/advisories/GHSA-5wvp-7f3h-6wmm - pyarrow==14.0.1 + pyarrow==14.0.1 \ + # https://github.com/advisories/GHSA-v68g-wm8c-6x7j + transformers==4.36.0 # Reset and copy updated files with updated privs to keep image size down FROM mcr.microsoft.com/devcontainers/base:1-bullseye diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh index 484455a7c..0cfadce24 100755 --- a/src/anaconda/test-project/test.sh +++ b/src/anaconda/test-project/test.sh @@ -41,7 +41,7 @@ checkPythonPackageVersion "werkzeug" "2.2.3" checkPythonPackageVersion "certifi" "2022.12.07" checkPythonPackageVersion "requests" "2.31.0" checkPythonPackageVersion "cryptography" "41.0.7" -checkPythonPackageVersion "transformers" "4.30.0" +checkPythonPackageVersion "transformers" "4.36.0" checkPythonPackageVersion "mpmath" "1.3.0" checkPythonPackageVersion "aiohttp" "3.9.0" checkPythonPackageVersion "jupyter_server" "2.7.2"