Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Bumps Flask Caching to fix RCE vulnerability #25090

Merged
merged 3 commits into from
Aug 31, 2023
Merged

fix: Bumps Flask Caching to fix RCE vulnerability #25090

merged 3 commits into from
Aug 31, 2023

Conversation

michael-s-molina
Copy link
Member

@michael-s-molina michael-s-molina commented Aug 25, 2023
edited
Loading

SUMMARY

This PR bumps Flask Caching from 1.10.1 to 1.11.1 to fix CVE-2021-33026. It also removes an explicit dependency with cachelib given that its assets are provided via flask_caching.backends.

Fixes #25077

Here's the changelog between versions:

Screenshot 2023-08-25 at 17 11 45

TESTING INSTRUCTIONS

CI should be sufficient.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@michael-s-molina michael-s-molina mentioned this pull request Aug 25, 2023
Closed
3 tasks
@michael-s-molina michael-s-molina force-pushed the bump-flask-caching branch 2 times, most recently from 9515953 to affa48e Compare August 28, 2023 15:00
@pull-request-size pull-request-size bot added size/L and removed size/S labels Aug 30, 2023
villebro
villebro approved these changes Aug 30, 2023
View reviewed changes
Copy link
Member

@villebro villebro left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for all the work on debugging that flaky test, really great work! 👏 Also, please add a note in the description about removing cachelib as an explicit dependency, as it may not be obvious why that's happening.

requirements/base.txt
Comment on lines +34 to +35
cachelib==0.6.0
# via flask-caching
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm tempted to bump this one to a more recent one, but let's do that when we bump to Flask-Caching>=2

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's safer to do that when bumping Flask-Caching 👍🏼

@michael-s-molina
Copy link
Member Author

Also, please add a note in the description about removing cachelib as an explicit dependency, as it may not be obvious why that's happening.

@villebro I updated the PR description.

@michael-s-molina michael-s-molina merged commit 9df1b26 into apache:master Aug 31, 2023
33 checks passed
@michael-s-molina michael-s-molina added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Aug 31, 2023
michael-s-molina added a commit that referenced this pull request Aug 31, 2023
@michael-s-molina
fix: Bumps Flask Caching to fix RCE vulnerability (#25090)
372004d
darwinsubramaniam pushed a commit to darwinsubramaniam/superset that referenced this pull request Sep 7, 2023
@michael-s-molina @darwinsubramaniam
fix: Bumps Flask Caching to fix RCE vulnerability (apache#25090)
12cb4cf
jinghua-qa added a commit to preset-io/superset that referenced this pull request Sep 12, 2023
@jinghua-qa
Revert "fix: Bumps Flask Caching to fix RCE vulnerability (apache#25090
80c7dc2 
…)"

This reverts commit 9df1b26.
jfrag1 added a commit to preset-io/superset that referenced this pull request Sep 12, 2023
@jfrag1
Revert "fix: Bumps Flask Caching to fix RCE vulnerability (apache#25090
c8ceb58 
…)"

This reverts commit 9df1b26.
sadpandajoe added a commit to preset-io/superset that referenced this pull request Sep 12, 2023
@sadpandajoe
Revert "fix: Bumps Flask Caching to fix RCE vulnerability (apache#25090
51fd6d0 
…)"

This reverts commit 9df1b26.
@SCH227
Copy link

SCH227 commented Nov 10, 2023

@michael-s-molina Flask-caching 1.11.1 does not fixes CVE-2021-33026.
Lastest version of flask-caching still relies on pickle by default for deserialization from cache storage. For example:
Memcache
Rediscache
Am I missing something?

@michael-s-molina
Copy link
Member Author

@SCH227 It looks like the CVE is still in DISPUTED state pending additional verification. Check pallets-eco/flask-caching#345 for more context.

cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@michael-s-molina
fix: Bumps Flask Caching to fix RCE vulnerability (apache#25090)
ee3012c
@mistercrunch mistercrunch added 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.1.0 labels Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@villebro villebro villebro approved these changes

@rusackas rusackas Awaiting requested review from rusackas

@dpgaspar dpgaspar Awaiting requested review from dpgaspar dpgaspar is a code owner

@craig-rueda craig-rueda Awaiting requested review from craig-rueda craig-rueda is a code owner

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/L v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🚢 3.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Flask-Caching version 1.10.1, having a critical vulnerability, upgrade to new version is causing a Error.
5 participants
@michael-s-molina @SCH227 @villebro @mistercrunch @eschutho