You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by "hash-data (via GitHub)" <gi...@apache.org> on 2023/04/07 11:42:17 UTC

[GitHub] [superset] hash-data opened a new issue, #23621: Vulnerable issues with dependencies in Superset

hash-data opened a new issue, #23621:
URL: https://github.com/apache/superset/issues/23621

   Superset currently using :
   WTForms version: 2.3.3
   
   In there is a CVE vulnerability that can be found here https://pyup.io/v/42852/f17/
   Tried to update the version but there is an error while running the flask-server with the newest version of WTForms: https://github.com/wtforms/wtforms/issues/781 (issue listed here)
   
   Superset Currently using flask app-builder that is using sqlalchemy <1.5 restrict  (all versions  of flask app builder depend on sqlalchemy < 1.5)
   Which have a CVE vulnerability for more info visit: https://pyup.io/v/51668/f17/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] dpgaspar commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.

dpgaspar commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1506656607

   I find this confusing, could not find any related CVE, snyk for example reports that: https://security.snyk.io/package/pip/wtforms/2.3.3 so 2.3.3 is considered safe
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] hash-data commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "hash-data (via GitHub)" <gi...@apache.org>.

hash-data commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1506589924

   hi  @dpgaspar any update on it 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] dpgaspar commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.

dpgaspar commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1506818596

   I've checked. I don't doubt the accuracy of pyup.io, but it's confusing to not have a CVE and having a number of non oficial security scanners with conflicting reports.
   
   Anyway, thank you for reporting this, It's truly appreciated. Bumping wtforms should have no blockers, but the major sqlalchemy bump will require a big effort


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] hash-data commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "hash-data (via GitHub)" <gi...@apache.org>.

hash-data commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1506947060

   bumping wtforms will also have efforts as I tried and listed the issue on wtforms repo https://github.com/wtforms/wtforms/issues/781


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] hash-data commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "hash-data (via GitHub)" <gi...@apache.org>.

hash-data commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1603659353

   @dpgaspar any update on other vulnerability?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] hash-data commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "hash-data (via GitHub)" <gi...@apache.org>.

hash-data commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1506663301

   can you please check the URL's I have provided


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] dpgaspar commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.

dpgaspar commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1523547660

   > bumping wtforms will also have efforts as I tried and listed the issue on wtforms repo [wtforms/wtforms#781](https://github.com/wtforms/wtforms/issues/781)
   
   Ivestigating the issue, seems like it's related with wtform_json (left a more detailed comment on the issue you created on wtforms) 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] dpgaspar commented on issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.

dpgaspar commented on issue #23621:
URL: https://github.com/apache/superset/issues/23621#issuecomment-1649415505

   I've found no CVE's that need to be patched on Superset regarding sqlalchemy: https://www.cvedetails.com/vulnerability-list/vendor_id-11979/Sqlalchemy.html
   
   Wtforms is fixed
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] dpgaspar closed issue #23621: Vulnerable issues (CVE) with dependencies in Superset

Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.

dpgaspar closed issue #23621: Vulnerable issues (CVE)  with dependencies in Superset
URL: https://github.com/apache/superset/issues/23621


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org