Vulnerability in Python 3.10 (setuptools inside ensurepip folder)
bhupendra-vaishnav opened this issue · comments
We are working on Python 3.10 and found vulnerable version of setuptools package which is setuptools-65.5.0.
We did see Python 3.10 already has a fix for setuptools package and updated version of setuptools package which is setuptools-65.5.1. Though while doing analysis, we found the traces of vulnerable version inside ensurepip
folder.
Please refer absolute file paths highlighted by blue in attached screenshot :
Vulnerability reference : GHSA-r9hx-vwmv-q579
./usr/local/lib/python3.10/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl
As ensurepip
module is part of pip
, does the Python image needs an update for the pip
package as well?
We use the python image as base for the dev container images which are getting flagged with the setuptools
vulnerability in our scanners.
We appreciate the quick fix for #783, hoping to get this resolved as well. Thank you!
// cc @tianon
The ensurepip
module is part of Python's own stdlib (which is thus where this is coming from), not pip
😭
Hmmm. @tianon Is there any way to patch this? 🤔
I'm sure there's a way -- the best one would be for Python upstream to do new releases with the updated setuptools
bundled (because this really isn't a Docker-specific problem -- it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"). I don't know what the likelihood of that happening is, though.
For your builds, it would probably be pretty reasonable to purge the ensurepip
module completely from your derivative images, but I must admit I don't know how common ensurepip
is for users to actually use.
For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.
Removing ensurepip
could break the ability to bootstrap pip
into new virtual environments created with venv
(a tool for creating isolated Python environments), or other systems that rely on ensurepip
to ensure pip
is available. Hence, I don't think we should remove ensurepip
from our images.
it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"
@tianon Is the python image always build with latest builds of Python?
@bhupendra-vaishnav can you raise this issue in https://github.com/python/cpython and request them to update their ensurepip
bundle?
Yep, we build from the latest published releases and try to keep any changes minimal.
See https://github.com/docker-library/python/blob/b273afc57978521d33fefe5887ad901d0d35de87/3.10/bookworm/Dockerfile for the current Dockerfile
for python:3.10
.