Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 1.1.1f-1ubuntu2.13 to at least 1.1.1f-1ubuntu2.15 #10800

Closed
korthout opened this issue Oct 24, 2022 · 4 comments · Fixed by #10810
Closed

Update 1.1.1f-1ubuntu2.13 to at least 1.1.1f-1ubuntu2.15 #10800

korthout opened this issue Oct 24, 2022 · 4 comments · Fixed by #10810
Assignees
@npepinpe
Labels
area/security Marks an issue as security related good first issue Marks an issue as simple enough for first time contributors kind/toil Categorizes an issue or PR as general maintenance, i.e. cleanup, refactoring, etc. support Marks an issue as related to a customer support request version:8.1.3 Marks an issue as being completely or in parts released in 8.1.3 version:8.2.0-alpha1 Marks an issue as being completely or in parts released in 8.2.0-alpha1 version:8.2.0 Marks an issue as being completely or in parts released in 8.2.0

Comments

@korthout
Copy link
Member

korthout commented Oct 24, 2022
edited by menski

Description

1.1.1f-1ubuntu2.15 fixes CVE-2022-2068.

Support Issue: https://jira.camunda.com/browse/SUPPORT-14896
@korthout korthout added the kind/toil Categorizes an issue or PR as general maintenance, i.e. cleanup, refactoring, etc. label Oct 24, 2022
@korthout
Copy link
Member Author

We can do this by updating the base image used to build the Zeebe docker image. (Move the pin to a newer hash)

@npepinpe
Copy link
Member

You mean update the OpenSSL package version to 1.1.1f-1ubuntu2.15, right? Do we know this is fixed in the latest temurin image?

@npepinpe
Copy link
Member

OK, with the latest image the version of OpenSSL is 1.1.1f-1ubuntu2.16, so it should be fine.

@npepinpe npepinpe added good first issue Marks an issue as simple enough for first time contributors area/security Marks an issue as security related labels Oct 25, 2022
@npepinpe npepinpe self-assigned this Oct 25, 2022
@npepinpe npepinpe mentioned this issue Oct 25, 2022
Merged
10 tasks
@korthout
Copy link
Member Author

Yes, it would be fixed by updating to a newer base image because 8.0.7 was built using an unpinned digest of the base image and no longer contains this vulnerability.

@backport-action backport-action mentioned this issue Oct 25, 2022
Merged
zeebe-bors-camunda bot added a commit that referenced this issue Oct 25, 2022
@zeebe-bors-camunda @npepinpe
merge: #10811
485d091 
10811: [Backport stable/8.1] build(docker): update base image to fix CVE-2022-2068 r=korthout a=backport-action

# Description
Backport of #10810 to `stable/8.1`.

relates to #10800

Co-authored-by: Nicolas Pepin-Perreault <nicolas.pepin-perreault@camunda.com>
@korthout korthout added version:8.2.0-alpha1 Marks an issue as being completely or in parts released in 8.2.0-alpha1 version:8.1.3 Marks an issue as being completely or in parts released in 8.1.3 labels Nov 1, 2022
@menski menski added the support Marks an issue as related to a customer support request label Nov 9, 2022
@npepinpe npepinpe added the version:8.2.0 Marks an issue as being completely or in parts released in 8.2.0 label Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@npepinpe npepinpe

Labels
area/security Marks an issue as security related good first issue Marks an issue as simple enough for first time contributors kind/toil Categorizes an issue or PR as general maintenance, i.e. cleanup, refactoring, etc. support Marks an issue as related to a customer support request version:8.1.3 Marks an issue as being completely or in parts released in 8.1.3 version:8.2.0-alpha1 Marks an issue as being completely or in parts released in 8.2.0-alpha1 version:8.2.0 Marks an issue as being completely or in parts released in 8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(docker): update base image to fix CVE-2022-2068 camunda/zeebe
3 participants
@npepinpe @menski @korthout