[Security] Fix some of vulnerability issue relative python packages (#14269) (#14352)

Why I did it
Fix some of vulnerability issue relative python packages #14269
Pillow: [CVE-2021-27921]
Wheel: [CVE-2022-40898]
lxml: [CVE-2022-2309]

How I did it
How to verify it

files/build/versions/dockers/sonic-slave-bullseye/versions-py3

@@ -39,7 +39,7 @@ j2cli==0.3.10
 jinja2==2.11.3
 lazy-object-proxy==0.0.0
 logilab-common==1.8.1
-lxml==4.6.2
+lxml==4.9.1
 m2crypto==0.36.0
 mako==1.1.3
 markdown==3.3.4

files/build/versions/dockers/sonic-slave-buster/versions-py2

@@ -38,7 +38,7 @@ keyring==17.1.1
 keyrings.alt==3.1.1
 lazy-object-proxy==1.3.1
 logilab-common==1.4.2
-lxml==4.6.5
+lxml==4.9.1
 m2crypto==0.36.0
 markupsafe==1.1.0
 mccabe==0.6.1

files/build/versions/dockers/sonic-slave-buster/versions-py3

@@ -24,7 +24,7 @@ importlib-metadata==6.1.0
 jinja2==3.0.3
 keyring==17.1.1
 keyrings.alt==3.1.1
-lxml==4.6.5
+lxml==4.9.1
 m2crypto==0.38.0
 mako==1.0.7
 markdown==3.0.1

sonic-slave-bullseye/Dockerfile.j2

@@ -474,7 +474,7 @@ RUN apt-get purge -y python3-pip python3-yaml
 
 # For building Python packages
 RUN pip3 install setuptools==49.6.00
-RUN pip3 install wheel==0.35.1
+RUN pip3 install wheel==0.38.1
 
 {%- if CONFIGURED_ARCH == "armhf" %}
 # Allow only manylinux wheels on armhf, to ensure that binaries/libraries work correctly on armhf
@@ -494,6 +494,19 @@ RUN pip3 install pytest-runner==5.2
 RUN pip3 install nose==1.3.7
 RUN pip3 install mockredispy==2.9.3
 
+# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
+{%- if CONFIGURED_ARCH == "armhf" %}
+RUN TMP_DIR=$(mktemp -d) && \
+    cd $TMP_DIR && \
+    apt-get install -y nasm && \
+    apt-get source libjpeg-turbo && \
+    cd $(ls -d libjpeg-turbo*/) && \
+    dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
+    dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
+    rm -rf $TMP_DIR
+{%- endif %}
+RUN pip3 install pillow==9.4.0
+
 # For p4 build
 RUN pip3 install \
          ctypesgen==1.0.2 \
@@ -512,7 +525,7 @@ RUN pip3 install j2cli==0.3.10
 # For sonic-mgmt-framework
 RUN pip3 install "PyYAML==5.4.1"
 {%- if CROSS_BUILD_ENVIRON != "y" %}
-RUN pip3 install "lxml==4.6.2"
+RUN pip3 install "lxml==4.9.1"
 {%- endif %}
 
 # For sonic-platform-common testing

sonic-slave-buster/Dockerfile.j2

@@ -487,7 +487,7 @@ RUN apt-get purge -y python-pip python3-pip python3-yaml
 RUN pip2 install setuptools==40.8.0
 RUN pip2 install wheel==0.35.1
 RUN pip3 install setuptools==49.6.00
-RUN pip3 install wheel==0.35.1
+RUN pip3 install wheel==0.38.1
 
 # For building sonic-utilities
 RUN pip2 install fastentrypoints
@@ -501,6 +501,19 @@ RUN pip3 install nose==1.3.7
 RUN pip2 install mockredispy==2.9.3
 RUN pip3 install mockredispy==2.9.3
 
+# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
+{%- if CONFIGURED_ARCH == "armhf" %}
+RUN TMP_DIR=$(mktemp -d) && \
+    cd $TMP_DIR && \
+    apt-get install -y nasm && \
+    apt-get source libjpeg-turbo && \
+    cd $(ls -d libjpeg-turbo*/) && \
+    dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
+    dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
+    rm -rf $TMP_DIR
+{%- endif %}
+RUN pip3 install pillow==9.4.0
+
 # For Python 2 unit tests, we need 'mock'. The last version of 'mock'
 # which supports Python 2 is 3.0.5. In Python 3, 'mock' is part of 'unittest'
 # in the standard library
@@ -531,8 +544,8 @@ RUN pip2 install "PyYAML==5.4.1"
 RUN pip3 install "PyYAML==5.4.1"
 
 {%- if CROSS_BUILD_ENVIRON != "y" %}
-RUN pip2 install "lxml==4.6.5"
+RUN pip2 install "lxml==4.9.1"
-RUN pip3 install "lxml==4.6.5"
+RUN pip3 install "lxml==4.9.1"
 {%- endif %}
 
 # For sonic-platform-common testing

sonic-slave-stretch/Dockerfile.j2

@@ -331,8 +331,8 @@ RUN pip3 install mockredispy==2.9.3
 # For sonic-mgmt-framework
 RUN pip2 install "PyYAML==5.3.1"
 RUN pip3 install "PyYAML==5.3.1"
-RUN pip2 install "lxml==4.6.5"
+RUN pip2 install "lxml==4.9.1"
-RUN pip3 install "lxml==4.6.5"
+RUN pip3 install "lxml==4.9.1"
 
 
 # For sonic-platform-common testing