Open dakotabenjamin opened 3 months ago
Describe the bug Docker image builds fail due to being blocked by a CVE:
ghcr.io/hotosm/tasking-manager/backend:develop (debian 12.6) ============================================================ Total: 0 (CRITICAL: 0) Python (python-pkg) =================== Total: 1 (CRITICAL: 1) ┌───────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├───────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ gevent (METADATA) │ CVE-2023-41419 │ CRITICAL │ fixed │ 22.10.2 │ 23.9.0 │ python-gevent: privilege escalation via a crafted script to │ │ │ │ │ │ │ │ the WSGIServer component │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-41419 │ └───────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
solution: Update Gevent to (at minimum) fixed version shown above.
Expected behavior Docker images should build successfully in the CI Workflow.
Setting to High priority because builds are blocked, and the severity of the CVE is critical.
Describe the bug Docker image builds fail due to being blocked by a CVE:
solution: Update Gevent to (at minimum) fixed version shown above.
Expected behavior Docker images should build successfully in the CI Workflow.
Setting to High priority because builds are blocked, and the severity of the CVE is critical.