Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Werkzeug #4217

Open
nickumia-reisys opened this issue Feb 21, 2023 · 9 comments
Open

Update Werkzeug #4217

nickumia-reisys opened this issue Feb 21, 2023 · 9 comments
Labels
bug Software defect or bug CKAN 2.11 Issues addressed by CKAN 2.11 compliance Relating to security compliance or documentation component/catalog Related to catalog component playbooks/roles
Milestone
May 2025

Comments

@nickumia-reisys
Copy link
Contributor

nickumia-reisys commented Feb 21, 2023
edited
Loading

Please keep any sensitive details in Google Drive.

Date of report: 02/15/2023
Severity: High
Due date: 03/15/2023

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

Brief description

From our automated snyk scans, the above vulnerability in the werkzeug package was highlighted. After an investigation, it seems like there is no path forward to patch it. The upgrade of werkzeug cascades into a bunch of breaking versions with Flask and Jinja2 and other packages. There is an open issue about running CKAN with the latest version of Flask and the patch release of CKAN 2.9.8 still references Flask==1.1.1.

There is an open ticket in upstream CKAN that talk about the work related to this upgrade

There was an old patch that was completed in 11/2022, but Snyk says that the new vulnerability requires a newer release,

Other list of references:
@nickumia-reisys nickumia-reisys added compliance Relating to security compliance or documentation bug Software defect or bug labels Feb 21, 2023
@nickumia-reisys
Copy link
Contributor Author

There is a better chance that we'll be able to patch this vulnerability if we are on CKAN 2.10.0 (but there may still be issues).

@nickumia-reisys nickumia-reisys mentioned this issue Feb 21, 2023
Merged
@nickumia-reisys
Copy link
Contributor Author

See efforts to upgrade in the following two PRs:

@nickumia-reisys nickumia-reisys mentioned this issue Feb 21, 2023
Merged
@hkdctol hkdctol added this to the March 2023 milestone Feb 21, 2023
@hkdctol
Copy link
Contributor

hkdctol commented Feb 21, 2023
edited
Loading

Adding a March milestone to this so that we will look at it again, but given the discussion today at sync this seems like it has to await the CKAN 2.10 update which is #4209

This was referenced Feb 22, 2023
Merged
Merged
Merged
@Jin-Sun-tts Jin-Sun-tts mentioned this issue Apr 4, 2023
Merged
@hkdctol hkdctol moved this to 📔 Product Backlog in data.gov team board Apr 6, 2023
This was referenced Apr 10, 2023
Merged
Merged
Closed
Closed
This was referenced May 8, 2023
Closed
Closed
@nickumia-reisys nickumia-reisys mentioned this issue Jul 3, 2023
Draft
@hkdctol hkdctol moved this from 📔 Product Backlog to 📟 Sprint Backlog [7] in data.gov team board Jul 6, 2023
@hkdctol hkdctol moved this from 📟 Sprint Backlog [7] to 📡 Blocked in data.gov team board Jul 6, 2023
@nickumia-reisys
Copy link
Contributor Author

Blocked by CKAN releasing compatibility changes to core code. See PR for details:

@nickumia-reisys nickumia-reisys mentioned this issue Jul 17, 2023
Draft
This was referenced Jul 31, 2023
Closed
Closed
Closed
@nickumia-reisys
Copy link
Contributor Author

See comment

@btylerburton
Copy link
Contributor

Conversation with CKAN core team on release schedule. No new developments, but at least they are aware that we are awaiting these fixes.

ckan/ckan#6381

@Jin-Sun-tts Jin-Sun-tts mentioned this issue Oct 30, 2023
Merged
@Jin-Sun-tts Jin-Sun-tts mentioned this issue Dec 1, 2023
Merged
@btylerburton btylerburton mentioned this issue Jan 2, 2024
Closed
@rshewitt
Copy link
Contributor

rshewitt commented May 7, 2024

ckan upstream ticket

@gujral-rei
Copy link

followed up with CKAN

@FuhuXia
Copy link
Member

FuhuXia commented Sep 17, 2024

CKAN 2.11.0 fix ths issue with Werkzeug[watchdog]==3.0.3 in the requirements.txt.

@btylerburton btylerburton added CKAN 2.11 Issues addressed by CKAN 2.11 and removed CKAN 2.10 labels Sep 17, 2024
@btylerburton btylerburton added the component/catalog Related to catalog component playbooks/roles label Oct 10, 2024
This was referenced Dec 2, 2024
Merged
Merged
@btylerburton btylerburton modified the milestones: March 2023, May 2025 Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Software defect or bug CKAN 2.11 Issues addressed by CKAN 2.11 compliance Relating to security compliance or documentation component/catalog Related to catalog component playbooks/roles
Projects
data.gov team board
Status: 📡 Blocked
Milestone
May 2025
Development

No branches or pull requests
6 participants
@FuhuXia @hkdctol @nickumia-reisys @rshewitt @btylerburton @gujral-rei