From 8d3e9aca9d352a3c4459e321de5d0a0b12062112 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Thu, 6 Apr 2023 21:02:49 +0400
Subject: [features/conda] Address CVE-2023-0286, CVE-2023-23931, and
CVE-2022-40897 vulnerabilities (#518)
* [features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities
- Update `install.sh` to install updates for `cryptography` and `setuptools` packages
- Add tests to verify `cryptography` and `setuptools` packages version
* Bump feature version
---
src/conda/devcontainer-feature.json | 2 +-
src/conda/install.sh | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
(limited to 'src/conda')
diff --git a/src/conda/devcontainer-feature.json b/src/conda/devcontainer-feature.json
index 8e1a5fc..9a23652 100644
--- a/src/conda/devcontainer-feature.json
+++ b/src/conda/devcontainer-feature.json
@@ -1,6 +1,6 @@
{
"id": "conda",
- "version": "1.0.8",
+ "version": "1.0.9",
"name": "Conda",
"description": "A cross-platform, language-agnostic binary package manager",
"documentationURL": "https://github.com/devcontainers/features/tree/main/src/conda",
diff --git a/src/conda/install.sh b/src/conda/install.sh
index 55b280c..43ab82f 100644
--- a/src/conda/install.sh
+++ b/src/conda/install.sh
@@ -114,8 +114,13 @@ if ! conda --version &> /dev/null ; then
find "${CONDA_DIR}" -type d -print0 | xargs -n 1 -0 chmod g+s
- # Temporary due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491
+ # Temporary fixes
+ # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491
install_user_package certifi
+ # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931
+ install_user_package cryptography
+ # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
+ install_user_package setuptools
fi
# Display a notice on conda when not running in GitHub Codespaces
--
cgit v1.2.3