diff options
| author | Alexander Smolyakov <v-asmoliakov@microsoft.com> | 2023-04-06 20:02:49 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-06 20:02:49 +0300 |
| commit | 8d3e9aca9d352a3c4459e321de5d0a0b12062112 (patch) | |
| tree | 1289e63c1b4fc840f02f29bf1c56fcd5c8731df6 | |
| parent | 74959ec14975fe1c95133dc6d3ad5677e4cf66e1 (diff) | |
[features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities (#518)feature_conda_1.0.9
* [features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities
- Update `install.sh` to install updates for `cryptography` and `setuptools` packages
- Add tests to verify `cryptography` and `setuptools` packages version
* Bump feature version
| -rw-r--r-- | src/conda/devcontainer-feature.json | 2 | ||||
| -rw-r--r-- | src/conda/install.sh | 7 | ||||
| -rwxr-xr-x | test/conda/test.sh | 6 |
3 files changed, 13 insertions, 2 deletions
diff --git a/src/conda/devcontainer-feature.json b/src/conda/devcontainer-feature.json index 8e1a5fc..9a23652 100644 --- a/src/conda/devcontainer-feature.json +++ b/src/conda/devcontainer-feature.json @@ -1,6 +1,6 @@ { "id": "conda", - "version": "1.0.8", + "version": "1.0.9", "name": "Conda", "description": "A cross-platform, language-agnostic binary package manager", "documentationURL": "https://github.com/devcontainers/features/tree/main/src/conda", diff --git a/src/conda/install.sh b/src/conda/install.sh index 55b280c..43ab82f 100644 --- a/src/conda/install.sh +++ b/src/conda/install.sh @@ -114,8 +114,13 @@ if ! conda --version &> /dev/null ; then find "${CONDA_DIR}" -type d -print0 | xargs -n 1 -0 chmod g+s - # Temporary due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491 + # Temporary fixes + # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491 install_user_package certifi + # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931 + install_user_package cryptography + # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 + install_user_package setuptools fi # Display a notice on conda when not running in GitHub Codespaces diff --git a/test/conda/test.sh b/test/conda/test.sh index 8a88511..fcb9d7e 100755 --- a/test/conda/test.sh +++ b/test/conda/test.sh @@ -32,5 +32,11 @@ check-version-ge() { certifiVersion=$(python -c "import certifi; print(certifi.__version__)") check-version-ge "certifi" "${certifiVersion}" "2022.12.07" +cryptographyVersion=$(python -c "import cryptography; print(cryptography.__version__)") +check-version-ge "cryptography" "${cryptographyVersion}" "39.0.1" + +setuptoolsVersion=$(python -c "import setuptools; print(setuptools.__version__)") +check-version-ge "setuptools" "${setuptoolsVersion}" "65.5.1" + # Report result reportResults |