Update vulnerabilities #26696

obohaciak · 2023-06-16T13:50:39Z

Related command
N/A

Description
Fixes vulnerabilities in mcr.microsoft.com/azure-cli:2.49.0. Affected packages are:

cryptography 38.0.4 (pip)
requests 2.26.0 (pip)
openssl 3.1.0-r4 (apk)
binutils 2.40-r6 (apk)

Testing Guide
N/A

History Notes
N/A

This checklist is used to make sure that common guidelines for a pull request are followed.

The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.

azure-client-tools-bot-prd · 2023-06-16T13:50:41Z

️✔️AzureCLI-FullTest

️✔️acr

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️acs

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️advisor

️✔️latest

️✔️3.10

️✔️3.9

️✔️ams

️✔️latest

️✔️3.10

️✔️3.9

️✔️apim

️✔️latest

️✔️3.10

️✔️3.9

️✔️appconfig

️✔️latest

️✔️3.10

️✔️3.9

️✔️appservice

️✔️latest

️✔️3.10

️✔️3.9

️✔️aro

️✔️latest

️✔️3.10

️✔️3.9

️✔️backup

️✔️latest

️✔️3.10

️✔️3.9

️✔️batch

️✔️latest

️✔️3.10

️✔️3.9

️✔️batchai

️✔️latest

️✔️3.10

️✔️3.9

️✔️billing

️✔️latest

️✔️3.10

️✔️3.9

️✔️botservice

️✔️latest

️✔️3.10

️✔️3.9

️✔️cdn

️✔️latest

️✔️3.10

️✔️3.9

️✔️cloud

️✔️latest

️✔️3.10

️✔️3.9

️✔️cognitiveservices

️✔️latest

️✔️3.10

️✔️3.9

️✔️config

️✔️latest

️✔️3.10

️✔️3.9

️✔️configure

️✔️latest

️✔️3.10

️✔️3.9

️✔️consumption

️✔️latest

️✔️3.10

️✔️3.9

️✔️container

️✔️latest

️✔️3.10

️✔️3.9

️✔️core

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️cosmosdb

️✔️latest

️✔️3.10

️✔️3.9

️✔️databoxedge

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️dla

️✔️latest

️✔️3.10

️✔️3.9

️✔️dls

️✔️latest

️✔️3.10

️✔️3.9

️✔️dms

️✔️latest

️✔️3.10

️✔️3.9

️✔️eventgrid

️✔️latest

️✔️3.10

️✔️3.9

️✔️eventhubs

️✔️latest

️✔️3.10

️✔️3.9

️✔️feedback

️✔️latest

️✔️3.10

️✔️3.9

️✔️find

️✔️latest

️✔️3.10

️✔️3.9

️✔️hdinsight

️✔️latest

️✔️3.10

️✔️3.9

️✔️identity

️✔️latest

️✔️3.10

️✔️3.9

️✔️iot

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️keyvault

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️kusto

️✔️latest

️✔️3.10

️✔️3.9

️✔️lab

️✔️latest

️✔️3.10

️✔️3.9

️✔️managedservices

️✔️latest

️✔️3.10

️✔️3.9

️✔️maps

️✔️latest

️✔️3.10

️✔️3.9

️✔️marketplaceordering

️✔️latest

️✔️3.10

️✔️3.9

️✔️monitor

️✔️latest

️✔️3.10

️✔️3.9

️✔️mysql

️✔️latest

️✔️3.10

️✔️3.9

️✔️netappfiles

️✔️latest

️✔️3.10

️✔️3.9

️✔️network

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️policyinsights

️✔️latest

️✔️3.10

️✔️3.9

️✔️privatedns

️✔️latest

️✔️3.10

️✔️3.9

️✔️profile

️✔️latest

️✔️3.10

️✔️3.9

️✔️rdbms

️✔️latest

️✔️3.10

️✔️3.9

️✔️redis

️✔️latest

️✔️3.10

️✔️3.9

️✔️relay

️✔️latest

️✔️3.10

️✔️3.9

️✔️resource

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️role

️✔️latest

️✔️3.10

️✔️3.9

️✔️search

️✔️latest

️✔️3.10

️✔️3.9

️✔️security

️✔️latest

️✔️3.10

️✔️3.9

️✔️servicebus

️✔️latest

️✔️3.10

️✔️3.9

️✔️serviceconnector

️✔️latest

️✔️3.10

️✔️3.9

️✔️servicefabric

️✔️latest

️✔️3.10

️✔️3.9

️✔️signalr

️✔️latest

️✔️3.10

️✔️3.9

️✔️sql

️✔️latest

️✔️3.10

️✔️3.9

️✔️sqlvm

️✔️latest

️✔️3.10

️✔️3.9

️✔️storage

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️synapse

️✔️latest

️✔️3.10

️✔️3.9

️✔️telemetry

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

️✔️util

️✔️latest

️✔️3.10

️✔️3.9

️✔️vm

️✔️2018-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.10

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.10

️✔️3.9

️✔️latest

️✔️3.10

️✔️3.9

azure-client-tools-bot-prd · 2023-06-16T13:50:44Z

️✔️AzureCLI-BreakingChangeTest

️✔️Non Breaking Changes

ghost · 2023-06-16T13:50:48Z

Thank you for your contribution obohaciak! We will review the pull request and get back to you soon.

yonzhan · 2023-06-16T13:50:52Z

Thank you for your contribution! We will review the pull request and get back to you soon.

bebound · 2023-06-19T02:12:48Z

requests is bumped in #26571
openssl and binutils will be updated once there is new version in Alpine repo.

The reason of using old version cryptography is in #25690. We are working on Windows 64-bit MSI package in #26640, once it's finished, we'll bump it.

jiasli · 2023-06-19T02:47:03Z

Dockerfile

+RUN pip install cryptography -U
+RUN pip install requests -U


This will be covered by #26671.

jiasli · 2023-06-19T02:51:58Z

Dockerfile

+RUN apk upgrade openssl
+RUN apk upgrade binutils --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main


This is not a universal solution as they are only specific to certain versions of Alpine Linux image. Alpine Linux will include these fixes in its new docker image. We also automatically pick up the latest Alpine Linux image:

azure-cli/Dockerfile

Line 8 in 5f52c83

FROM python:${PYTHON_VERSION}-alpine

Update vulnerabilities

c25277b

azure-client-tools-bot-prd bot added this to the June 2023 (2023-07-04) milestone Jun 16, 2023

ghost added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Jun 16, 2023

yonzhan requested review from bebound and jiasli June 16, 2023 22:32

yonzhan assigned bebound Jun 16, 2023

jiasli reviewed Jun 19, 2023

View reviewed changes

Dockerfile

Comment on lines +69 to +70

RUN pip install cryptography -U

RUN pip install requests -U

Copy link

Member

jiasli Jun 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be covered by #26671.

jiasli reviewed Jun 19, 2023

View reviewed changes

bebound closed this Jun 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update vulnerabilities #26696

Update vulnerabilities #26696

Uh oh!

obohaciak commented Jun 16, 2023

Uh oh!

azure-client-tools-bot-prd bot commented Jun 16, 2023 •

edited

Loading

Uh oh!

azure-client-tools-bot-prd bot commented Jun 16, 2023 •

edited

Loading

Uh oh!

ghost commented Jun 16, 2023

Uh oh!

yonzhan commented Jun 16, 2023

Uh oh!

bebound commented Jun 19, 2023

Uh oh!

jiasli Jun 19, 2023

Uh oh!

jiasli Jun 19, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

		RUN apk upgrade openssl
		RUN apk upgrade binutils --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main

Update vulnerabilities #26696

Update vulnerabilities #26696

Uh oh!

Conversation

obohaciak commented Jun 16, 2023

Uh oh!

azure-client-tools-bot-prd bot commented Jun 16, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

azure-client-tools-bot-prd bot commented Jun 16, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ghost commented Jun 16, 2023

Uh oh!

yonzhan commented Jun 16, 2023

Uh oh!

bebound commented Jun 19, 2023

Uh oh!

jiasli Jun 19, 2023

Choose a reason for hiding this comment

Uh oh!

jiasli Jun 19, 2023

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

azure-client-tools-bot-prd bot commented Jun 16, 2023 •

edited

Loading

azure-client-tools-bot-prd bot commented Jun 16, 2023 •

edited

Loading