security: fix multiple cves (#404)

Azure · Mar 28, 2022 · bb19bcd · bb19bcd
1 parent 4f92012
commit bb19bcd
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/.pipelines/templates/scan-images.yaml b/.pipelines/templates/scan-images.yaml
@@ -7,8 +7,8 @@ steps:
       ALL_LINUX_ARCH: amd64 # build amd64 only to speed up PR gate
       OUTPUT_TYPE: type=docker
   - script: |
-      wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION:-0.23.0}/trivy_${TRIVY_VERSION:-0.23.0}_Linux-64bit.tar.gz
-      tar zxvf trivy_${TRIVY_VERSION:-0.23.0}_Linux-64bit.tar.gz
+      wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION:-0.24.4}/trivy_${TRIVY_VERSION:-0.24.4}_Linux-64bit.tar.gz
+      tar zxvf trivy_${TRIVY_VERSION:-0.24.4}_Linux-64bit.tar.gz
       # show all vulnerabilities in the logs
       ./trivy image --reset
       for IMAGE_NAME in "proxy" "proxy-init" "webhook"; do

diff --git a/docker/proxy-init.Dockerfile b/docker/proxy-init.Dockerfile
@@ -1,10 +1,12 @@
-FROM --platform=${TARGETPLATFORM:-linux/amd64} k8s.gcr.io/build-image/debian-iptables:bullseye-v1.1.0
+FROM --platform=${TARGETPLATFORM:-linux/amd64} k8s.gcr.io/build-image/debian-iptables:bullseye-v1.2.0
 
 # upgrading libssl1.1 due to CVE-2021-3711 and CVE-2021-3712
-# upgrading libgssapi-krb5-2 and libk5crypto3 due to CVE-2021-37750
 # upgrading libgmp10 due to CVE-2021-43618
 # upgrading bsdutils due to CVE-2021-3995 and CVE-2021-3996
-RUN clean-install ca-certificates libssl1.1 libgssapi-krb5-2 libk5crypto3 libgmp10 bsdutils
+# upgrading libc-bin due to CVE-2021-33574, CVE-2022-23218 and CVE-2022-23219
+# upgrading libc6 due to CVE-2021-33574, CVE-2022-23218 and CVE-2022-23219
+# upgrading libsystemd0 and libudev1 due to CVE-2021-3997
+RUN clean-install ca-certificates libssl1.1 libgmp10 bsdutils libc-bin libc6 libsystemd0 libudev1
 COPY ./init/init-iptables.sh /bin/
 RUN chmod +x /bin/init-iptables.sh
 # Kubernetes runAsNonRoot requires USER to be numeric