diff --git a/CHANGELOG.md b/CHANGELOG.md index cba6558c0..e430615ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ All notable changes to this project will be documented in this file. - stackable-base: Mitigate CVE-2023-37920 by removing e-Tugra root certificates ([#673]). - hdfs: Exclude unused jars and mitigate snappy-java CVEs by bumping dependency ([#682]). - druid: Build from source ([#684]). +- superset: Updating Flask-AppBuilder and gevent, remove greenlet from 3.1.0-constrains.txt to mitigate CVE-2024-25128 and CVE-2023-41419 ([#686]). ### Changed @@ -86,6 +87,7 @@ All notable changes to this project will be documented in this file. [#682]: https://github.com/stackabletech/docker-images/pull/682 [#684]: https://github.com/stackabletech/docker-images/pull/684 [#685]: https://github.com/stackabletech/docker-images/pull/685 +[#686]: https://github.com/stackabletech/docker-images/pull/686 [#688]: https://github.com/stackabletech/docker-images/pull/688 ## [24.3.0] - 2024-03-20 diff --git a/superset/constraints-3.1.0.txt b/superset/constraints-3.1.0.txt index 75b1c7f9c..b0cd6b393 100644 --- a/superset/constraints-3.1.0.txt +++ b/superset/constraints-3.1.0.txt @@ -98,7 +98,8 @@ flask==2.2.5 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==4.3.10 +# Bumping 4.3.10 -> 4.3.11 to get rid of CVE-2024-25128 +flask-appbuilder==4.3.11 # via apache-superset flask-babel==1.0.0 # via flask-appbuilder @@ -134,7 +135,9 @@ geographiclib==1.52 # via geopy geopy==2.2.0 # via apache-superset -greenlet==2.0.2 +# Letting python decide which greenlet version to compile at +# since we diverge from the vendor to fix CVE's +# greenlet==2.0.2 # via # shillelagh # sqlalchemy @@ -383,7 +386,9 @@ zipp==3.15.0 # importlib-metadata # importlib-resources # from https://github.com/apache/superset/blob/3.1.0/requirements/docker.txt -gevent==22.10.2 +# Bumped 22.10.2 -> 24.2.1 version to get rid of +# CVE-2023-41419 +gevent==24.2.1 # via -r requirements/docker.in psycopg2-binary==2.9.6 # via apache-superset