CVEs on 2.0.1 docker image #22235

tooptoop4 · 2022-11-28T05:08:12Z

i pulled docker image for 2.0.1rc4

findings:
upgrade Pillow to 9.3.0 to resolve CVE-2022-30595, CVE-2022-45198, CVE-2022-45199
upgrade Flask-Caching to 1.11.0 to resolve CVE-2021-33026
upgrade Werkzeug to 2.1.1 to resolve CVE-2022-29361
upgrade aiohttp to 3.8.3 to resolve CVE-2022-33124
curl is also affected by CVE-2022-42916 , can it be removed from the image?

rusackas · 2022-11-29T16:30:42Z

Thank you for pointing out these issues. 2.0.1 is close to fully baked, and resolves a number of issues already. I think these additional fixes will have to wait for a fast-follow 2.0.2 release and/or 2.1.0.

rusackas · 2022-11-29T16:32:20Z

We'll add these to the security roadmap, and have it on the agenda to tackle and discuss at the next Security working group meeting. Let me know if you have any interest in attending. Thanks again!

tooptoop4 added the #bug Bug report label Nov 28, 2022

rusackas assigned eschutho and dpgaspar Nov 29, 2022

rusackas added the v2.0.1 label Nov 29, 2022

EugeneTorap mentioned this issue Dec 7, 2022

chore: Bump flask libs #22355

Merged

9 tasks

EugeneTorap mentioned this issue Dec 21, 2022

chore: Bump Pillow to 9.3.0 #22489

Merged

9 tasks

villebro closed this as completed in #22489 Dec 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVEs on 2.0.1 docker image #22235

CVEs on 2.0.1 docker image #22235

tooptoop4 commented Nov 28, 2022

rusackas commented Nov 29, 2022 •

edited

Loading

rusackas commented Nov 29, 2022

CVEs on 2.0.1 docker image #22235

CVEs on 2.0.1 docker image #22235

Comments

tooptoop4 commented Nov 28, 2022

rusackas commented Nov 29, 2022 • edited Loading

rusackas commented Nov 29, 2022

rusackas commented Nov 29, 2022 •

edited

Loading