[Snyk] Security upgrade python from 3.11.8-slim-bookworm to 3.11.9-slim-bookworm

[rubenfiszel]

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix 4 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to python:3.11.9-slim-bookworm, as this image has only 49 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-DEBIAN12-SYSTEMD-6277507	614
	Allocation of Resources Without Limits or Throttling SNYK-DEBIAN12-SYSTEMD-6277507	614
	Improper Check for Unusual or Exceptional Conditions SNYK-DEBIAN12-OPENSSL-6048820	514
	Out-of-bounds Write SNYK-DEBIAN12-OPENSSL-6148845	514
	CVE-2024-0727 SNYK-DEBIAN12-OPENSSL-6190223	514

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

---

🚀	This description was created by Ellipsis for commit 34241a9

Summary:

Update Dockerfile to use python:3.11.9-slim-bookworm to address security vulnerabilities.

Key points:

• Update Dockerfile to use python:3.11.9-slim-bookworm instead of python:3.11.8-slim-bookworm.
• Addresses 4 security vulnerabilities related to systemd and openssl in the previous image version.
• No changes to application code, only the Docker base image.

---

Generated with ❤️ by ellipsis.dev

[cloudflare-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	34241a9
Status:	✅  Deploy successful!
Preview URL:	https://ab4663de.windmill.pages.dev
Branch Preview URL:	https://snyk-fix-92d43d0f280d3cb3880.windmill.pages.dev

View logs

[ellipsis-dev]

👍 Looks good to me! Reviewed everything up to 34241a9 in 22 seconds

More details

• Looked at 13 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 drafted comments based on config settings.

1. Dockerfile:3

• Draft comment:
  The update from Python 3.11.8 to 3.11.9 in the Dockerfile is a minor version update intended to address specific security vulnerabilities. This is a standard practice for maintaining security in dependencies. Ensure that the application's compatibility with the new Python version is tested, especially if Python-specific features or third-party Python packages are heavily used.
• Reason this comment was not posted:
  Confidence changes required: 0%
  The PR is focused on updating the Python base image from version 3.11.8 to 3.11.9 to address security vulnerabilities. The change is minimal and specific, only altering the version number of the Python image used in the Dockerfile. This is a typical maintenance update to keep the software dependencies up-to-date and secure. The PR description provided by Snyk outlines the vulnerabilities addressed by this update, which are related to the Python image. The Dockerfile itself is complex, involving multiple stages and base images, but the change made here is isolated to the Python image version.

Workflow ID: wflow_BaFWp8eFx4av1ibs

---

You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.

[github-actions]

🔍 Vulnerabilities of ghcr.io/windmill-labs/windmill-ee:main

📦 Image Reference ghcr.io/windmill-labs/windmill-ee:main

digest	sha256:3cd9142983f92357aa228f9b31be41ec7943158f0898763ece24a7b048c9617e
vulnerabilities
size	871 MB
packages	1377

📦 Base Image python:043c23ff9a5da35da7f5490229d65173962308a400a0d0cada66e44bd7b4a5f8

also known as	3.11-slim 3.11-slim-bookworm 3.11.9-slim 3.11.9-slim-bookworm
digest	sha256:642b83290b5254bbe4bf72ee85b86b3496689d263e237b379039bced52fe358d
vulnerabilities

git 1:2.39.2-1.1 (deb) pkg:deb/debian/git@1:2.39.2-1.1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (92:94) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.15% EPSS Percentile 52nd percentile Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 10th percentile Description Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

stdlib 1.21.7 (golang) pkg:golang/[email protected] # Dockerfile (110:116) RUN if [ "$WITH_HELM" = "true" ]; then \ arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \ wget "https://get.helm.sh/helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ tar -zxvf "helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ mv linux-$arch/helm /usr/local/bin/helm &&\ chmod +x /usr/local/bin/helm; \ else echo 'Building the image without helm'; fi Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.06% EPSS Percentile 27th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

stdlib 1.21.6 (golang) pkg:golang/[email protected] # Dockerfile (154:154) COPY --from=builder /frontend/build /static_frontend Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.06% EPSS Percentile 27th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

pillow 9.4.0 (pypi) pkg:pypi/[email protected] # Dockerfile (154:154) COPY --from=builder /frontend/build /static_frontend Out-of-bounds Write Affected range <10.0.1 Fixed version 10.0.1 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 60.91% EPSS Percentile 98th percentile Description Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. Improper Control of Generation of Code ('Code Injection') Affected range <10.2.0 Fixed version 10.2.0 CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.07% EPSS Percentile 32nd percentile Description Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Uncontrolled Resource Consumption Affected range <10.0.0 Fixed version 10.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.05% EPSS Percentile 23rd percentile Description An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Affected range <10.0.1 Fixed version 10.0.1 Description Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

cryptography 38.0.4 (pypi) pkg:pypi/[email protected] # Dockerfile (92:94) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.04% EPSS Percentile 16th percentile Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.10% EPSS Percentile 41st percentile Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Access of Resource Using Incompatible Type ('Type Confusion') Affected range >=0.8.1 <39.0.1 Fixed version 39.0.1 CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H EPSS Score 0.25% EPSS Percentile 66th percentile Description pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

nodejs 20.15.0-1nodesource1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (154:154) COPY --from=builder /frontend/build /static_frontend Affected range >=18.19.0+dfsg-6~deb12u2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 16th percentile Description An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. Affected range >=18.19.0+dfsg-6~deb12u2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 16th percentile Description A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

System.Data.SqlClient 4.8.5 (nuget) pkg:nuget/[email protected] # Dockerfile (97:108) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Cleartext Transmission of Sensitive Information Affected range <4.8.6 Fixed version 4.8.6 CVSS Score 8.7 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N EPSS Score 0.13% EPSS Percentile 48th percentile Description Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

pip 24.0 (pypi) pkg:pypi/[email protected] # Dockerfile (79:79) FROM ${PYTHON_IMAGE} OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=0 Fixed version Not Fixed CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.11% EPSS Percentile 45th percentile Description An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number).