databricks / containers

Sample base images for Databricks Container Services
Apache License 2.0
168 stars 118 forks source link

Runtime images include vulnerable Pyarrow version #185

Open cdagraca opened 8 months ago

cdagraca commented 8 months ago

13.3-LTS and 14.3-LTS both still use pyarrow 8.0.0, which contains CVE-2023-47248 It appears this has been patched for actual runtime environments but not for the corresponding docker images.

serhio-k commented 7 months ago

Since there is no fix for docker images, pyarrow_hotfix is an only option for the moment

cdagraca commented 7 months ago

I have a fork of 13.3-LTS with working library upgrades for ubuntu (python, dbfuse, standard). I can do the same for 14.3-LTS. I'm just having trouble working out how to build and test all of the other images so I can raise a PR.