Closed mahithsuresh closed 3 years ago
Is 2.7 impacted? According to https://nvd.nist.gov/vuln/detail/CVE-2021-3177 only Python 3.x is impacted
Yeah - we use openjdk:8: https://snyk.io/test/docker/openjdk:8 it relies on 2.7 which has a the buffer overflow vulnerability according to this. I also ran the python scripts that were using to determine whether there is impact and that confirmed it.
openjdk:8 (the base image used by the spark container) has a dependency on python 2.7.16 which has a security vulnerability. Since openjdk:8 has not been updated and since python 2.7.16 has reached EOL, we are upgrading to python 3.6.13 which contains the fix for the vulnerability.
Upgraded to Python-3.6.13
Testing:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.