Skip to content

Commit e5e8d46

Browse files
xumiaxumia
authored
[Security] Fix some of vulnerability issue relative python packages (#14269) (#14353)
Why I did it Fix some of vulnerability issue relative python packages #14269 Pillow: [CVE-2021-27921] Wheel: [CVE-2022-40898] lxml: [CVE-2022-2309] How I did it
1 parent 19a89aa commit e5e8d46

File tree

6 files changed

+38
-12
lines changed

6 files changed

+38
-12
lines changed

files/build/versions/dockers/sonic-slave-bullseye/versions-py3

+2-2
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ j2cli==0.3.10
3939
jinja2==2.11.3
4040
lazy-object-proxy==0.0.0
4141
logilab-common==1.8.1
42-
lxml==4.6.2
42+
lxml==4.9.1
4343
m2crypto==0.36.0
4444
mako==1.1.3
4545
markdown==3.3.4
@@ -107,4 +107,4 @@ webencodings==0.5.1
107107
wrapt==1.12.1
108108
xdg==5
109109
zipp==1.0.0
110-
zope.interface==5.2.0
110+
zope.interface==5.2.0

files/build/versions/dockers/sonic-slave-buster/versions-py2

+1-1
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ keyring==17.1.1
3838
keyrings.alt==3.1.1
3939
lazy-object-proxy==1.3.1
4040
logilab-common==1.4.2
41-
lxml==4.6.5
41+
lxml==4.9.1
4242
m2crypto==0.36.0
4343
markupsafe==1.1.0
4444
mccabe==0.6.1

files/build/versions/dockers/sonic-slave-buster/versions-py3

+2-2
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ importlib-metadata==6.1.0
2424
jinja2==3.0.3
2525
keyring==17.1.1
2626
keyrings.alt==3.1.1
27-
lxml==4.6.5
27+
lxml==4.9.1
2828
m2crypto==0.38.0
2929
mako==1.0.7
3030
markdown==3.0.1
@@ -75,4 +75,4 @@ typing_extensions==4.5.0
7575
unattended-upgrades==0.1
7676
unidiff==0.5.4
7777
urllib3==1.24.1
78-
zipp==3.15.0
78+
zipp==3.15.0

sonic-slave-bullseye/Dockerfile.j2

+15-2
Original file line numberDiff line numberDiff line change
@@ -395,7 +395,7 @@ RUN apt-get purge -y python3-pip python3-yaml
395395

396396
# For building Python packages
397397
RUN pip3 install setuptools==49.6.00
398-
RUN pip3 install wheel==0.35.1
398+
RUN pip3 install wheel==0.38.1
399399

400400
# For building sonic-utilities
401401
RUN pip3 install fastentrypoints mock
@@ -405,6 +405,19 @@ RUN pip3 install pytest-runner==5.2
405405
RUN pip3 install nose==1.3.7
406406
RUN pip3 install mockredispy==2.9.3
407407

408+
# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
409+
{%- if CONFIGURED_ARCH == "armhf" %}
410+
RUN TMP_DIR=$(mktemp -d) && \
411+
cd $TMP_DIR && \
412+
apt-get install -y nasm && \
413+
apt-get source libjpeg-turbo && \
414+
cd $(ls -d libjpeg-turbo*/) && \
415+
dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
416+
dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
417+
rm -rf $TMP_DIR
418+
{%- endif %}
419+
RUN pip3 install pillow==9.4.0
420+
408421
# For p4 build
409422
RUN pip3 install \
410423
ctypesgen==1.0.2 \
@@ -422,7 +435,7 @@ RUN pip3 install j2cli==0.3.10
422435

423436
# For sonic-mgmt-framework
424437
RUN pip3 install "PyYAML==5.4.1"
425-
RUN pip3 install "lxml==4.6.2"
438+
RUN pip3 install "lxml==4.9.1"
426439

427440
# For sonic-platform-common testing
428441
RUN pip3 install redis

sonic-slave-buster/Dockerfile.j2

+16-3
Original file line numberDiff line numberDiff line change
@@ -406,7 +406,7 @@ RUN apt-get purge -y python-pip python3-pip python3-yaml
406406
RUN pip2 install setuptools==40.8.0
407407
RUN pip2 install wheel==0.35.1
408408
RUN pip3 install setuptools==49.6.00
409-
RUN pip3 install wheel==0.35.1
409+
RUN pip3 install wheel==0.38.1
410410
411411
# For building sonic-utilities
412412
RUN pip2 install fastentrypoints
@@ -420,6 +420,19 @@ RUN pip3 install nose==1.3.7
420420
RUN pip2 install mockredispy==2.9.3
421421
RUN pip3 install mockredispy==2.9.3
422422
423+
# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
424+
{%- if CONFIGURED_ARCH == "armhf" %}
425+
RUN TMP_DIR=$(mktemp -d) && \
426+
cd $TMP_DIR && \
427+
apt-get install -y nasm && \
428+
apt-get source libjpeg-turbo && \
429+
cd $(ls -d libjpeg-turbo*/) && \
430+
dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
431+
dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
432+
rm -rf $TMP_DIR
433+
{%- endif %}
434+
RUN pip3 install pillow==9.4.0
435+
423436
# For Python 2 unit tests, we need 'mock'. The last version of 'mock'
424437
# which supports Python 2 is 3.0.5. In Python 3, 'mock' is part of 'unittest'
425438
# in the standard library
@@ -448,8 +461,8 @@ RUN pip3 install Jinja2==3.0.3
448461
# For sonic-mgmt-framework
449462
RUN pip2 install "PyYAML==5.4.1"
450463
RUN pip3 install "PyYAML==5.4.1"
451-
RUN pip2 install "lxml==4.6.5"
452-
RUN pip3 install "lxml==4.6.5"
464+
RUN pip2 install "lxml==4.9.1"
465+
RUN pip3 install "lxml==4.9.1"
453466
454467
# For sonic-platform-common testing
455468
RUN pip3 install redis

sonic-slave-stretch/Dockerfile.j2

+2-2
Original file line numberDiff line numberDiff line change
@@ -331,8 +331,8 @@ RUN pip3 install mockredispy==2.9.3
331331
# For sonic-mgmt-framework
332332
RUN pip2 install "PyYAML==5.3.1"
333333
RUN pip3 install "PyYAML==5.3.1"
334-
RUN pip2 install "lxml==4.6.5"
335-
RUN pip3 install "lxml==4.6.5"
334+
RUN pip2 install "lxml==4.9.1"
335+
RUN pip3 install "lxml==4.9.1"
336336
337337
338338
# For sonic-platform-common testing

0 commit comments

Comments
 (0)