[anaconda] Update tornado package due to CVE-2023-28370 (#593)

- Update Dockerfile to install the latest tornado package version; - Added test to verify tornado minimum version; - Updated manifest to include info about the tornado package;
devcontainers · Jun 5, 2023 · 8edb120 · 8edb120
1 parent 7b95b63
commit 8edb120
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -59,7 +59,9 @@ RUN python3 -m pip install \
  # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
  nbconvert \
  # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
- requests
+ requests \
+ # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
+ tornado
 
 # Copy environment.yml (if found) to a temp location so we can update the environment. Also
 # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists.

diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json
@@ -37,7 +37,8 @@
  "py",
  "pyOpenssl",
  "werkzeug",
- "requests"
+ "requests",
+ "tornado"
  ],
  "other": {
  "git": {},

diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -42,6 +42,10 @@ checkPythonPackageVersion "werkzeug" "2.2.3"
 checkPythonPackageVersion "certifi" "2022.12.07"
 checkPythonPackageVersion "requests" "2.31.0"
 
+# The `tornado` package doesn't have the `__version__` attribute so we can use the `version` attribute.
+tornado_version=$(python -c "import tornado; print(tornado.version)")
+check-version-ge "tornado-requirement" "${tornado_version}" "6.3.2"
+
 check "conda-update-conda" bash -c "conda update -y conda"
 check "conda-install" bash -c "conda install -c conda-forge --yes tensorflow"
 check "conda-install" bash -c "conda install -c conda-forge --yes pytorch"