Vulnerability: CVE-2015-20107, Python

Question

Vulnerability: CVE-2015-20107, Python

Closed this issue 2 years ago · 8 comments

From vulnerabilities spreadsheet, based on Unizin analysis:

CVE ID	Effective Severity	Severity	Impacted Image	Vulnerable Package	Remediated Package	URL
CVE-2015-20107	CRITICAL	CRITICAL	gcr.io/unizin-core/myla:2022.01.01	python3.9/3.9.2-1	python3.9/MAXIMUM	https://security-tracker.debian.org/tracker/CVE-2015-20107

Answer 1 · 2022-08-26T16:05:01.000Z

This issue is still open in Python https://bugs.python.org/issue24778

We aren't using the mailcap module. There is currently some work toward removing this module in 3.13, but it does look like there is a fix in one of the latest versions of 3.10 and there is a backport for the next security release of 3.9.

https://security-tracker.debian.org/tracker/CVE-2015-20107

MyLA is still running Python 3.8 and that should also get this release, but we may want to look to ugprading. I think we'll have to revisit this in the next release?

Answer 2 · 2022-08-31T18:44:11.000Z

The fix is in Python 3.10.6-1. Will update docker image to Python 3.10 and verify the OpenShift vulnerability report.

Answer 3 · 2022-08-31T18:52:47.000Z

@lsloan, we discussed this in the meeting. This is how I would approach it.

Look at each of the Python dependencies and see if 3.10 is explicitly supported. Make a list of any that are not.
If the list is empty, or only a couple don't support it, update the Docker base image to 3.10 and do a PRT of the tool, checking logs for errors. If all is well, it's probably okay to update.

If many dependencies don't support 3.10, or there is a problem when trying it, we'll have to wait on a patch to 3.8 or 3.9, and we can inform stakeholders that is our plan.

Answer 4 · 2022-09-01T19:23:33.000Z

I think if you switch the base image to 3.10-slim

And then login to the container and run pip check it should tell you if everything is good. You'll also need to update the Openshift Docker file. 3.10-slim is available there too. It hopefully should be noticeable if something isn't right.

Answer 5 · 2022-09-07T01:16:20.000Z

Building with python:3.10-slim produced a whole raft of errors. It occurred in the pip install step using requirements.txt. The problems began with installing numpy. Looks like it had downloaded the version we specify, 1.22, but some other dependency along the way tries to install 1.19.3. After that, we get a message about RuntimeWarning: NumPy 1.19.3 may not yet support Python 3.10..

So, installing the newer Python and running pip check isn't cutting it at the moment. I'll need to step back to examining each of the dependencies, as @ssciolla suggested.

Answer 6 · 2022-09-07T02:34:24.000Z

Looks like I'll need to update requirements.txt to use a newer version of pandas.

And google-cloud-bigquery[pandas], apparently.

Answer 7 · 2022-09-19T18:17:53.000Z

I will QA this

Answer 8 · 2022-09-20T19:02:01.000Z

Test passes

Updated to Python version 3.10.7, pandas, numypy, pangres, google-cloud-bigquery[pandas] all updated to correct version
cron ran successfully and did not see this warning UserWarning: pandas only support SQLAlchemy connectable(engine/connection) ordatabase string URI or sqlite3 DBAPI2 connectionother DBAPI2 objects are not tested, please consider using SQLAlchemy
All the views load fine