From 8d3e9aca9d352a3c4459e321de5d0a0b12062112 Mon Sep 17 00:00:00 2001 From: Alexander Smolyakov Date: Thu, 6 Apr 2023 21:02:49 +0400 Subject: [features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities (#518) * [features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities - Update `install.sh` to install updates for `cryptography` and `setuptools` packages - Add tests to verify `cryptography` and `setuptools` packages version * Bump feature version --- src/conda/devcontainer-feature.json | 2 +- src/conda/install.sh | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'src/conda') diff --git a/src/conda/devcontainer-feature.json b/src/conda/devcontainer-feature.json index 8e1a5fc..9a23652 100644 --- a/src/conda/devcontainer-feature.json +++ b/src/conda/devcontainer-feature.json @@ -1,6 +1,6 @@ { "id": "conda", - "version": "1.0.8", + "version": "1.0.9", "name": "Conda", "description": "A cross-platform, language-agnostic binary package manager", "documentationURL": "https://github.com/devcontainers/features/tree/main/src/conda", diff --git a/src/conda/install.sh b/src/conda/install.sh index 55b280c..43ab82f 100644 --- a/src/conda/install.sh +++ b/src/conda/install.sh @@ -114,8 +114,13 @@ if ! conda --version &> /dev/null ; then find "${CONDA_DIR}" -type d -print0 | xargs -n 1 -0 chmod g+s - # Temporary due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491 + # Temporary fixes + # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491 install_user_package certifi + # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931 + install_user_package cryptography + # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 + install_user_package setuptools fi # Display a notice on conda when not running in GitHub Codespaces -- cgit v1.2.3