Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cherry-pick][RHOAIENG-3551] - fastapi - Regular Expression Denial of Service (ReDoS) #260

Merged
merged 1 commit into from
Mar 1, 2024
Merged

[cherry-pick][RHOAIENG-3551] - fastapi - Regular Expression Denial of Service (ReDoS) #260

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion python/storage-initializer.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,12 @@ RUN apt-get update && apt-get install -y \
krb5-config \
&& rm -rf /var/lib/apt/lists/*

RUN pip install --no-cache-dir krbcontext==0.10 hdfs~=2.6.0 requests-kerberos==0.14.0
# Fixes CVE-2024-24762 - Regular Expression Denial of Service (ReDoS)
# Remove the fastapi when this is addressed: https://issues.redhat.com/browse/RHOAIENG-3894
# or ray releses a new version that removes the fastapi version pinning and it gets updated on KServe
RUN pip install --no-cache-dir krbcontext==0.10 hdfs~=2.6.0 requests-kerberos==0.14.0 fastapi==0.109.1
# Fixes Quay alert GHSA-2jv5-9r88-3w3p https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p
RUN pip install --no-cache-dir starlette==0.36.2


FROM ${BASE_IMAGE} as prod
Expand Down
Loading