Vulnerabilities in Python Dependencies

[phillipjohnson]

I am pulling this over from the discourse thread since there was recent interest in it again.

Issue Summary

The Docker image for Redash 10 (i.e. redash/redash:10.1.0.b50633 (debian 10.11)) includes several Python libraries that have high and critical CVEs.

• PyYAML 5.1.2 -> 5.4
• httplib2 0.14.0 -> 0.19.0
• pyarrow 0.13.0 -> 0.15.0
• pycrypto 2.6.1 -> No known fix, suggested to use pycryptodome
• sqlparse 0.3.0 -> 0.4.2
• urllib3 1.24.3 -> 1.26.5

What is the recommended remediation? Has Redash been tested against any of these newer versions?

List of vulnerabilities:

LIBRARY	VULNERABILITY ID	SEVERITY	INSTALLED VERSION	FIXED VERSION
PyYAML	CVE-2019-20477	CRITICAL	5.1.2	5.2b1
	CVE-2020-14343	CRITICAL		5.4
	CVE-2020-1747	CRITICAL		5.3.1
httplib2	CVE-2021-21240	HIGH	0.14.0	0.19.0
pyarrow	CVE-2019-12410	HIGH	0.13.0	0.15.0
pycrypto	CVE-2013-7459	CRITICAL	2.6.1
	CVE-2018-6594	HIGH
sqlparse	CVE-2021-32839	HIGH	0.3.0	0.4.2
urllib3	CVE-2021-33503	HIGH	1.24.3	1.26.5

Technical details:

• Redash Version: 10.1.0.b50633
• Browser/OS: N/A
• How did you install Redash: Docker

[arikfr]

Thank you for bringing this up. The plan at the moment is to update the CI so it works properly again (probably move to GitHub Actions from CircleCI in the process) and then update all or most of the dependencies to make sure we are in a good posture security wise and in general.