[Security] Fix some of vulnerability issue relative python packages (s…

…onic-net#14269) (sonic-net#14353) Why I did it Fix some of vulnerability issue relative python packages sonic-net#14269 Pillow: [CVE-2021-27921] Wheel: [CVE-2022-40898] lxml: [CVE-2022-2309] How I did it
Junchao-Mellanox · Mar 20, 2023 · e5e8d46 · e5e8d46
1 parent 19a89aa
commit e5e8d46
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 12 deletions.
diff --git a/files/build/versions/dockers/sonic-slave-bullseye/versions-py3 b/files/build/versions/dockers/sonic-slave-bullseye/versions-py3
@@ -39,7 +39,7 @@ j2cli==0.3.10
 jinja2==2.11.3
 lazy-object-proxy==0.0.0
 logilab-common==1.8.1
-lxml==4.6.2
+lxml==4.9.1
 m2crypto==0.36.0
 mako==1.1.3
 markdown==3.3.4
@@ -107,4 +107,4 @@ webencodings==0.5.1
 wrapt==1.12.1
 xdg==5
 zipp==1.0.0
-zope.interface==5.2.0
+zope.interface==5.2.0
diff --git a/files/build/versions/dockers/sonic-slave-buster/versions-py2 b/files/build/versions/dockers/sonic-slave-buster/versions-py2
@@ -38,7 +38,7 @@ keyring==17.1.1
 keyrings.alt==3.1.1
 lazy-object-proxy==1.3.1
 logilab-common==1.4.2
-lxml==4.6.5
+lxml==4.9.1
 m2crypto==0.36.0
 markupsafe==1.1.0
 mccabe==0.6.1

diff --git a/files/build/versions/dockers/sonic-slave-buster/versions-py3 b/files/build/versions/dockers/sonic-slave-buster/versions-py3
@@ -24,7 +24,7 @@ importlib-metadata==6.1.0
 jinja2==3.0.3
 keyring==17.1.1
 keyrings.alt==3.1.1
-lxml==4.6.5
+lxml==4.9.1
 m2crypto==0.38.0
 mako==1.0.7
 markdown==3.0.1
@@ -75,4 +75,4 @@ typing_extensions==4.5.0
 unattended-upgrades==0.1
 unidiff==0.5.4
 urllib3==1.24.1
-zipp==3.15.0
+zipp==3.15.0
diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2
@@ -395,7 +395,7 @@ RUN apt-get purge -y python3-pip python3-yaml
 
 # For building Python packages
 RUN pip3 install setuptools==49.6.00
-RUN pip3 install wheel==0.35.1
+RUN pip3 install wheel==0.38.1
 
 # For building sonic-utilities
 RUN pip3 install fastentrypoints mock
@@ -405,6 +405,19 @@ RUN pip3 install pytest-runner==5.2
 RUN pip3 install nose==1.3.7
 RUN pip3 install mockredispy==2.9.3
 
+# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
+{%- if CONFIGURED_ARCH == "armhf" %}
+RUN TMP_DIR=$(mktemp -d) && \
+    cd $TMP_DIR && \
+    apt-get install -y nasm && \
+    apt-get source libjpeg-turbo && \
+    cd $(ls -d libjpeg-turbo*/) && \
+    dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
+    dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
+    rm -rf $TMP_DIR
+{%- endif %}
+RUN pip3 install pillow==9.4.0
+
 # For p4 build
 RUN pip3 install \
          ctypesgen==1.0.2 \
@@ -422,7 +435,7 @@ RUN pip3 install j2cli==0.3.10
 
 # For sonic-mgmt-framework
 RUN pip3 install "PyYAML==5.4.1"
-RUN pip3 install "lxml==4.6.2"
+RUN pip3 install "lxml==4.9.1"
 
 # For sonic-platform-common testing
 RUN pip3 install redis

diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2
@@ -406,7 +406,7 @@ RUN apt-get purge -y python-pip python3-pip python3-yaml
 RUN pip2 install setuptools==40.8.0
 RUN pip2 install wheel==0.35.1
 RUN pip3 install setuptools==49.6.00
-RUN pip3 install wheel==0.35.1
+RUN pip3 install wheel==0.38.1
 
 # For building sonic-utilities
 RUN pip2 install fastentrypoints
@@ -420,6 +420,19 @@ RUN pip3 install nose==1.3.7
 RUN pip2 install mockredispy==2.9.3
 RUN pip3 install mockredispy==2.9.3
 
+# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
+{%- if CONFIGURED_ARCH == "armhf" %}
+RUN TMP_DIR=$(mktemp -d) && \
+    cd $TMP_DIR && \
+    apt-get install -y nasm && \
+    apt-get source libjpeg-turbo && \
+    cd $(ls -d libjpeg-turbo*/) && \
+    dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
+    dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
+    rm -rf $TMP_DIR
+{%- endif %}
+RUN pip3 install pillow==9.4.0
+
 # For Python 2 unit tests, we need 'mock'. The last version of 'mock'
 # which supports Python 2 is 3.0.5. In Python 3, 'mock' is part of 'unittest'
 # in the standard library
@@ -448,8 +461,8 @@ RUN pip3 install Jinja2==3.0.3
 # For sonic-mgmt-framework
 RUN pip2 install "PyYAML==5.4.1"
 RUN pip3 install "PyYAML==5.4.1"
-RUN pip2 install "lxml==4.6.5"
-RUN pip3 install "lxml==4.6.5"
+RUN pip2 install "lxml==4.9.1"
+RUN pip3 install "lxml==4.9.1"
 
 # For sonic-platform-common testing
 RUN pip3 install redis

diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2
@@ -331,8 +331,8 @@ RUN pip3 install mockredispy==2.9.3
 # For sonic-mgmt-framework
 RUN pip2 install "PyYAML==5.3.1"
 RUN pip3 install "PyYAML==5.3.1"
-RUN pip2 install "lxml==4.6.5"
-RUN pip3 install "lxml==4.6.5"
+RUN pip2 install "lxml==4.9.1"
+RUN pip3 install "lxml==4.9.1"
 
 
 # For sonic-platform-common testing