[anaconda]-Fix for vulnerability issue CVE-2024-52338 and CVE-2025-6176 (#1742)

sireeshajonnalagadda · abdurriq · Copilot · web-flow · commit e81718b53610 · 2026-02-04T12:23:32.000Z
* Update vulnerable package versions in security patch script and manifest

* Add 'brotli' to the list of packages that should always pin to the required version

* bumping up the manifest version

* Remove 'protobuf' from the list of packages that should always pin to the required version

* Apply suggestion from @Copilot

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

---------

Co-authored-by: Abdurrahmaan Iqbal &lt;137001048+abdurriq@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh
@@ -4,7 +4,7 @@
 # werkzeug - [GHSA-f9vj-2wh5-fj8j] 
 
 vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=5.29.5" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.53.0" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
-                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2")
+                      "zipp=3.19.1" "tornado=6.4.2" "jupyterlab=4.4.8" "imagecodecs=2024.9.22" "fonttools=4.60.2" "pyarrow=17.0.0" "brotli=1.2.0" )
 
 # Define the number of rows (based on the length of vulnerable_packages)
 rows=${#vulnerable_packages[@]}
@@ -26,7 +26,7 @@ done
 
 # Add an array for packages that should always pin to the provided version, 
 # even if higher version is available in conda channel
-pin_to_required_version=("protobuf" "transformers" "imagecodecs")
+pin_to_required_version=("transformers" "imagecodecs" "brotli")
 
 # Function to check if a package is in the pin_to_required_version array
 function is_pin_to_required_version() {
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -47,7 +47,7 @@ checkPythonPackageVersion "mpmath" "1.3.0"
 checkPythonPackageVersion "aiohttp" "3.10.2"
 checkPythonPackageVersion "tornado" "6.4.2"
 checkPythonPackageVersion "jupyter_server" "2.14.1"
-checkPythonPackageVersion "pyarrow" "14.0.1"
+checkPythonPackageVersion "pyarrow" "17.0.0"
 checkPythonPackageVersion "pillow" "10.3.0"
 checkPythonPackageVersion "jupyterlab" "4.4.8"
 checkPythonPackageVersion "notebook" "7.2.2"
@@ -60,14 +60,15 @@ checkPythonPackageVersion "requests" "2.32.4"
 checkPythonPackageVersion "scikit-learn" "1.5.0"
 checkPythonPackageVersion "zipp" "3.19.1"
 checkPythonPackageVersion "imagecodecs" "2023.9.18"
+checkPythonPackageVersion "brotli" "1.2.0"
 checkPythonPackageVersion "fonttools" "4.60.2"
 
 checkCondaPackageVersion "pyopenssl" "24.2.1"
 checkCondaPackageVersion "requests" "2.32.4"
 checkCondaPackageVersion "pygments" "2.15.1"
 checkCondaPackageVersion "mpmath" "1.3.0"
 checkCondaPackageVersion "urllib3" "2.5.0"
-checkCondaPackageVersion "pyarrow" "14.0.1"
+checkCondaPackageVersion "pyarrow" "17.0.0"
 checkCondaPackageVersion "pydantic" "2.5.3"
 checkCondaPackageVersion "tqdm" "4.66.4"
 checkCondaPackageVersion "black" "24.4.2"
