Vulnerabilities in the superset image

[JayaniH]

We are hoping to deploy Apache Superset for a data visualization task, and we carried out a Trivy scan (https://github.com/aquasecurity/trivy) of the superset image prior to the deployment which detected a significant number of vulnerabilities.

apache/superset:2.0.0 (debian 11.2) (Digest sha256:ca32ff641daca7447edfe78345e1abbc3b278895b1d4a245e69e28020e3310b7)
Total: 879 (MEDIUM: 384, HIGH: 428, CRITICAL: 67)

Python
Total: 4 (MEDIUM: 0, HIGH: 2, CRITICAL: 2)

The latest image of superset has less number of vulnerabilities.

apache/superset:latest (debian 11.4) (Digest sha256:1397d3d4f1c5da406175df6b1529d7c39cb6cab486f6852577dc985a0208f151)
Total: 635 (MEDIUM: 250, HIGH: 343, CRITICAL: 42)

Python
Total: 4 (MEDIUM: 1, HIGH: 1, CRITICAL: 2)

1. Can we know when the superset team is planning to do a new release that includes this new Debian version in the image?

2. As the latest image also contain many vulnerabilities and fixed versions have been released for some of these, is it possible to get these packages upgraded as well?
   E.g. Curl version 7.74.0-1.3+deb11u1 in the image has been detected as vulnerable. There is a fixed version 7.74.0-1.3+deb11u2.

[qwerty1q2w]

+1 I think a lot of people use superset to analyze critical data. Could you prepare an image without vulnerabilities please?

[qwerty1q2w]

Vulnerabilities.

        <div>

Cve	Package	Cvss	Title	Description
CVE-2022-0204	libbluetooth-dev libbluetooth3	8.8	bluez: heap-based buffer overflow in the implementation of the gatt protocol	A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.
CVE-2021-43400	libbluetooth-dev libbluetooth3	9.1	bluez: use-after-free in gatt-database.c	An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.
CVE-2022-3649	linux-libc-dev	9.8	kernel: nilfs2: use-after-free in nilfs_new_inode of fs/nilfs2/inode.c	A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.
CVE-2020-26560	libbluetooth-dev libbluetooth3	8.1	kernel: impersonation attack in Bluetooth Mesh Provisioning	Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.
CVE-2022-41903	git git-man	9.8	Git is distributed revision control system. git log can display comm ...	Git is distributed revision control system. git log can display commits in an arbitrary format using its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit() where a size_t is stored improperly as an int, and then added as an offset to a memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false.
CVE-2022-40674	libexpat1 libexpat1-dev	9.8	expat: a use-after-free in the doContent function in xmlparse.c	libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
CVE-2022-23218	libc-bin libc-dev-bin libc6 libc6-dev	9.8	glibc: Stack-based buffer overflow in svcunix_create via long pathnames	The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2021-33574	libc-bin libc-dev-bin libc6 libc6-dev	9.8	glibc: mq_notify does not handle separately allocated thread attributes	The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2021-22945	curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev	9.1	curl: use-after-free and double-free in MQTT sending	When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again.
CVE-2022-23219	libc-bin libc-dev-bin libc6 libc6-dev	9.8	glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname	The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-44638	libpixman-1-0 libpixman-1-dev	8.8	pixman: Integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write	In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
CVE-2022-1253	libde265-0	9.8	Heap-based Buffer Overflow in GitHub repository strukturag/libde265 pr ...	Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.
CVE-2022-32207	curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev	9.8	curl: Unpreserved file permissions	When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.
CVE-2022-32221	curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev	9.8	curl: POST following PUT confusion	When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-22576	curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev	8.1	curl: OAUTH2 bearer bypass in connection re-use	An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVE-2022-41674	linux-libc-dev	8.1	kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()	An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.
CVE-2022-0435	linux-libc-dev	8.8	kernel: remote stack overflow via kernel panic on systems using TIPC may lead to DoS	A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
CVE-2022-47629	libksba8	9.8	libksba: integer overflow to code execution	Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
CVE-2022-42896	linux-libc-dev	8.8	kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c	There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url torvalds/linux@711f8c3 https://www.google.com/url
CVE-2022-42719	linux-libc-dev	8.8	kernel: A use-after-free problem observed in multi-BSSID element when parsing	A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
CVE-2019-8457	libdb5.3 libdb5.3-dev	9.8	sqlite: heap out-of-bound read in function rtreenode()	SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
CVE-2021-30560	libxslt1-dev libxslt1.1	8.8	Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 a ...	Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2022-1292	libssl-dev libssl1.1 openssl	9.8	openssl: c_rehash script allows command injection	The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
CVE-2021-46848	libtasn1-6	9.1	libtasn1: Out-of-bound access in ETYPE_OK	GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVE-2022-2068	libssl-dev libssl1.1 openssl	9.8	openssl: the c_rehash script allows command injection	In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
CVE-2022-3970	libtiff-dev libtiff5 libtiffxx5	8.8	libtiff: integer overflow in function TIFFReadRGBATileExt of the file	A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
CVE-2022-1586	libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre2-dev libpcre2-posix2	9.1	pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c	An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVE-2022-27404	libfreetype-dev libfreetype6 libfreetype6-dev	9.8	FreeType: Buffer overflow in sfnt_init_face	FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.
CVE-2022-29155	libldap-2.4-2	9.8	openldap: OpenLDAP SQL injection	In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
CVE-2022-3640	linux-libc-dev	8.8	kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c	A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.
CVE-2022-1012	linux-libc-dev	8.2	kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak	A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.
CVE-2022-1587	libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre2-dev libpcre2-posix2	9.1	pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c	An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
CVE-2022-39260	git git-man	8.8	git: git shell function that splits command arguments can lead to arbitrary heap writes.	Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell access via remote logins is a viable short-term workaround.
CVE-2022-42898	krb5-multidev libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libkrb5-3 libkrb5-dev libkrb5support0	8.8	krb5: integer overflow vulnerabilities in PAC parsing	PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
CVE-2020-21598	libde265-0	8.8	libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...	libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.
CVE-2021-44648	gir1.2-gdkpixbuf-2.0 libgdk-pixbuf-2.0-0 libgdk-pixbuf-2.0-dev libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common	8.8	gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data	GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
CVE-2020-36131	libaom0	8.8	AOM v2.0.1 was discovered to contain a stack buffer overflow via the c ...	AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.
CVE-2020-26559	libbluetooth-dev libbluetooth3	8.8	kernel: Authvalue leak in Bluetooth Mesh Provisioning	Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.
CVE-2022-37434	zlib1g zlib1g-dev	9.8	zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field	zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVE-2020-36133	libaom0	8.8	AOM v2.0.1 was discovered to contain a global buffer overflow via the ...	AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.
CVE-2022-39177	libbluetooth-dev libbluetooth3	8.8	bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c	BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.
CVE-2022-1664	dpkg dpkg-dev libdpkg-perl	9.8	Dpkg::Source::Archive in dpkg, the Debian package management system, b ...	Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
CVE-2022-48281	libtiff-dev libtiff5 libtiffxx5	8.8	processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has ...	processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.
CVE-2021-29921	libpython3.9-minimal libpython3.9-stdlib python3.9 python3.9-minimal	9.8	python-ipaddress: Improper input validation of octal strings	In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVE-2022-23521	git git-man	9.8	Git is distributed revision control system. gitattributes are a mechan ...	Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-2196	linux-libc-dev	8.8	kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks	A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
CVE-2022-39176	libbluetooth-dev libbluetooth3	8.8	bluez: BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len	BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.
CVE-2022-3515	libksba8	9.8	libksba: integer overflow may lead to remote code execution	A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
CVE-2022-3643	linux-libc-dev	10	Xen Security Advisory 423 v1: Guests can trigger NIC interface reset/abort/crash via netback	Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.
CVE-2021-30475	libaom0	9.8	aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buf ...	aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow.
CVE-2022-27223	linux-libc-dev	8.8	kernel: In drivers/usb/gadget/udc/udc-xilinx.c the endpoint index is not validated	In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.
CVE-2021-30473	libaom0	9.8	aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that i ...	aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2022-1271	gzip liblzma-dev liblzma5 xz-utils	8.8	gzip: arbitrary-file-write vulnerability	An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
CVE-2022-3565	linux-libc-dev	8	kernel: use-after-free in l1oip timer handlers	A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
CVE-2021-30474	libaom0	9.8	aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use ...	aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.

[qwerty1q2w]

trivy image apache/superset:2.0.1 --security-checks vuln

Total: 1754 (UNKNOWN: 7, LOW: 606, MEDIUM: 523, HIGH: 549, CRITICAL: 69)

Python (python-pkg)
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 8, CRITICAL: 2)

[aleks-liu]

+1
please pay attention on vulnerabilities in this image.
Thank you in advance.

[ivanshamaev]

+1

[mdeshmu]

@qwerty1q2w

Majority of these vulnerabilities are related python base image and in turn its Debian base image.
We need to upgrade python to remove vulnerabilities.

Superset 2.0.1 == Python 3.8.12
master == Python 3.8.16
master-py39 == Python 3.9
can you check vulnerabilities in master and master-py39 image and share the results.

docker pull apache/superset:2.0.1
docker pull apache/superset:master-py39
docker pull apache/superset:master

The docker image we’re referring to is what the Apache Software Foundation commonly refers to as a “convenience release”; the only official releases the ASF provides is are the source binaries.

I do see a recent PR for docker images using 3.9 #22770
Interested individuals from community can create a similar PR for 3.10 and 3.11.

Source code already supports 3.8 to 3.11 https://github.com/apache/superset/blob/master/setup.py#L188

[qwerty1q2w]

@mdeshmu Hi! Thanks! Can you use images like https://hub.docker.com/r/bitnami/python/ or build such images yourself or use distroless images?

https://hub.docker.com/r/bitnami/minideb/
https://github.com/bitnami/minideb - The images are built daily and have the security release enabled, so will contain any security updates released more than 24 hours ago.

Maybe you can ask Apache Software Foundation to prepare secure base images like bitnami.

or fix such vulnerabilities in Dockerfile via apt like here

I'll try to check vulnerabilities in master and master-py39

[sfirke]

I don't think this specific bug report is actionable as it stands. Superset version 2.0.1 has passed end of life support.

If people have ideas for how to improve Superset by changing the Python versions or dependencies it depends on, I encourage them to get involved:

• Short-term, you could send your suggestion to security@superset.apache.org, or email the Apache Superset Dev list with your idea and try to start a discussion there. It could become a Superset Improvement Proposal, if appropriate.
• Longer-term, you could also attend a Superset Town Hall meeting (typically once a month on Fridays, see the community calendar) and raise it for discussion there. And, with some contributions and trust built up, even join the security working group -- I believe they are often looking for new members.