[GitHub] [superset] tooptoop4 opened a new issue, #22759: CVE-2022-32221 on 2.0.1 docker image

[GitBox <gi...@apache.org>]

tooptoop4 opened a new issue, #22759:
URL: https://github.com/apache/superset/issues/22759

   can curl be removed from the img?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] CVE-2022-32221 on 2.0.1 docker image [superset]

["rusackas (via GitHub)" <gi...@apache.org>]

rusackas closed issue #22759: CVE-2022-32221 on 2.0.1 docker image
URL: https://github.com/apache/superset/issues/22759


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] sebastianliebscher commented on issue #22759: CVE-2022-32221 on 2.0.1 docker image

["sebastianliebscher (via GitHub)" <gi...@apache.org>]

sebastianliebscher commented on issue #22759:
URL: https://github.com/apache/superset/issues/22759#issuecomment-1555363760

   `curl` is needed for the docker service health check. This CVE [was fixed](https://curl.se/docs/CVE-2022-32221.html) with curl 7.86.0 and the fix [got backported](https://metadata.ftp-master.debian.org/changelogs//main/c/curl/curl_7.74.0-1.3+deb11u7_changelog) to debian bullseye Dec 27 2022.
   
   To fix this (and similar issues in the future), the Superset committers could rebuild and push the docker image from 2.0.1 tag. Another solution would be to release a new 2.0.2 tag based on the 2.0.1 tag which would rebuild the docker images and thus updating curl and other OS packages.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] CVE-2022-32221 on 2.0.1 docker image [superset]

["rusackas (via GitHub)" <gi...@apache.org>]

rusackas commented on issue #22759:
URL: https://github.com/apache/superset/issues/22759#issuecomment-1972057676

   I'm not sure if this is still an issue in current versions of Superset (3.x). If it is, we can re-open this, or feel free to open a new issue with updated context and a reproducible case using example data. We're no longer supporting Superset 2.x or prior, and it's been a while since this thread saw any activity, so I'm closing this as stale.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org