[Security] Fix some of vulnerability issue relative python packages (#14269)

Why I did it
Fix some of vulnerability issue relative python packages #14269
Pillow: [CVE-2021-27921]
Wheel: [CVE-2022-40898]
lxml: [CVE-2022-2309]

How I did it
This commit is contained in:
xumia 2023-03-20 14:15:45 +08:00 committed by GitHub
parent 3bbfaa1ee8
commit 7209666374
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 39 additions and 13 deletions

View File

@ -38,7 +38,7 @@ j2cli==0.3.10
jinja2==2.11.3
lazy-object-proxy==0.0.0
logilab-common==1.8.1
lxml==4.6.2
lxml==4.9.1
m2crypto==0.36.0
mako==1.1.3
markdown==3.3.4
@ -104,7 +104,7 @@ unattended-upgrades==0.1
unidiff==0.5.5
urllib3==1.26.5
webencodings==0.5.1
wheel==0.35.1
wheel==0.38.1
wrapt==1.12.1
xdg==5
zipp==1.0.0

View File

@ -38,7 +38,7 @@ keyring==17.1.1
keyrings.alt==3.1.1
lazy-object-proxy==1.3.1
logilab-common==1.4.2
lxml==4.6.5
lxml==4.9.1
m2crypto==0.36.0
markupsafe==1.1.0
mccabe==0.6.1

View File

@ -24,7 +24,7 @@ importlib-metadata==6.1.0
jinja2==3.0.3
keyring==17.1.1
keyrings.alt==3.1.1
lxml==4.6.5
lxml==4.9.1
m2crypto==0.38.0
mako==1.0.7
markdown==3.0.1
@ -77,5 +77,5 @@ typing_extensions==4.5.0
unattended-upgrades==0.1
unidiff==0.5.4
urllib3==1.24.1
wheel==0.35.1
wheel==0.38.1
zipp==3.15.0

View File

@ -476,7 +476,7 @@ RUN apt-get purge -y python3-pip python3-yaml
# For building Python packages
RUN pip3 install setuptools==49.6.00
RUN pip3 install wheel==0.35.1
RUN pip3 install wheel==0.38.1
{%- if CONFIGURED_ARCH == "armhf" %}
# Allow only manylinux wheels on armhf, to ensure that binaries/libraries work correctly on armhf
@ -496,6 +496,19 @@ RUN pip3 install pytest-runner==5.2
RUN pip3 install nose==1.3.7
RUN pip3 install mockredispy==2.9.3
# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
{%- if CONFIGURED_ARCH == "armhf" %}
RUN TMP_DIR=$(mktemp -d) && \
cd $TMP_DIR && \
apt-get install -y nasm && \
apt-get source libjpeg-turbo && \
cd $(ls -d libjpeg-turbo*/) && \
dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
rm -rf $TMP_DIR
{%- endif %}
RUN pip3 install pillow==9.4.0
# For p4 build
RUN pip3 install \
ctypesgen==1.0.2 \
@ -514,7 +527,7 @@ RUN pip3 install j2cli==0.3.10
# For sonic-mgmt-framework
RUN pip3 install "PyYAML==5.4.1"
{%- if CROSS_BUILD_ENVIRON != "y" %}
RUN pip3 install "lxml==4.6.2"
RUN pip3 install "lxml==4.9.1"
{%- endif %}
# For sonic-platform-common testing

View File

@ -488,7 +488,7 @@ RUN apt-get purge -y python-pip python3-pip python3-yaml
RUN pip2 install setuptools==40.8.0
RUN pip2 install wheel==0.35.1
RUN pip3 install setuptools==49.6.00
RUN pip3 install wheel==0.35.1
RUN pip3 install wheel==0.38.1
# For building sonic-utilities
RUN pip2 install fastentrypoints
@ -502,6 +502,19 @@ RUN pip3 install nose==1.3.7
RUN pip2 install mockredispy==2.9.3
RUN pip3 install mockredispy==2.9.3
# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0
{%- if CONFIGURED_ARCH == "armhf" %}
RUN TMP_DIR=$(mktemp -d) && \
cd $TMP_DIR && \
apt-get install -y nasm && \
apt-get source libjpeg-turbo && \
cd $(ls -d libjpeg-turbo*/) && \
dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \
dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \
rm -rf $TMP_DIR
{%- endif %}
RUN pip3 install pillow==9.4.0
# For Python 2 unit tests, we need 'mock'. The last version of 'mock'
# which supports Python 2 is 3.0.5. In Python 3, 'mock' is part of 'unittest'
# in the standard library
@ -532,8 +545,8 @@ RUN pip2 install "PyYAML==5.4.1"
RUN pip3 install "PyYAML==5.4.1"
{%- if CROSS_BUILD_ENVIRON != "y" %}
RUN pip2 install "lxml==4.6.5"
RUN pip3 install "lxml==4.6.5"
RUN pip2 install "lxml==4.9.1"
RUN pip3 install "lxml==4.9.1"
{%- endif %}
# For sonic-platform-common testing

View File

@ -332,8 +332,8 @@ RUN pip3 install mockredispy==2.9.3
# For sonic-mgmt-framework
RUN pip2 install "PyYAML==5.3.1"
RUN pip3 install "PyYAML==5.3.1"
RUN pip2 install "lxml==4.6.5"
RUN pip3 install "lxml==4.6.5"
RUN pip2 install "lxml==4.9.1"
RUN pip3 install "lxml==4.9.1"
# For sonic-platform-common testing