Skip to content
This repository was archived by the owner on Jan 17, 2025. It is now read-only.

Get curl security updates. #202

Merged
merged 1 commit into from
Feb 27, 2020
Merged

Get curl security updates. #202

merged 1 commit into from
Feb 27, 2020

Conversation

@falkzoll
Copy link
Contributor

@falkzoll falkzoll commented Feb 26, 2020

No description provided.

@falkzoll falkzoll requested a review from somaya10 February 26, 2020 07:56
mrutkows
mrutkows approved these changes Feb 26, 2020
View reviewed changes
Copy link

@mrutkows mrutkows left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason we are "cherry picking" curl security fixes? Is there an associated issue and should we be doing this across other runtimes?

nodejs8/Dockerfile
RUN cd / && npm install --production \
RUN apt-get update \
# Update some installed packages to get security fixes.
&& apt-get install -y --no-install-recommends curl \
Copy link

@mrutkows mrutkows Feb 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only install what we want upgraded... https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends

Copy link
Contributor Author

@falkzoll falkzoll Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Vulnerability Advisor of the IBM Cloud Container Registry showed 3 CVEs for the current version of curl:

    Vulnerability ID   Policy Status   Affected Packages   How to Resolve
    CVE-2019-5436      Active          curl                Upgrade curl to >= 7.52.1-5+deb9u10
    CVE-2019-5481      Active          curl                Upgrade curl to >= 7.52.1-5+deb9u10
    CVE-2019-5482      Active          curl                Upgrade curl to >= 7.52.1-5+deb9u10

Since we want to have this fix available fast, we added it here. Once the fixed curl version is part of the base image we use, the install here will become a nop.
And yes, there are other runtimes that are affected, too. I created a PR for the runtime-python repository (ibm-functions/runtime-python#104). Others probably will follow.

nodejs8/Dockerfile
&& rm -rf /var/lib/apt/lists/* \
# Start adding/updating npm packages.
&& cd / \
&& npm install --production \
Copy link

@mrutkows mrutkows Feb 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this...

@somaya10 somaya10 merged commit 04d0aff into ibm-functions:master Feb 27, 2020
@mrutkows
Copy link

mrutkows commented Feb 27, 2020

@falkzoll did you carry this security fix over to Apache OpenWhisk? It would be bad precedent to have a IBM not supply known security fixes to their supposed upstream...

@falkzoll
Copy link
Contributor Author

falkzoll commented Mar 2, 2020

No worries, this is not the case. We just shorten the time until the runtime image in this repository receives the security fix.
Most Apache openwhisk runtimes have automatically fetched this update in their nightly builds already. Unfortunately we can not immediately jump to this new version of the base runtime image. We need time to consume these updated images and to verify the other changes in them.

To avoid this delay until we can jump to the updated Apache Openwhisk base image that includes the security fix, we do the apt-get install here. When we are finally able to consume the updated Apache Openwhisk image, this update operation (apt-get install) here will be a 'no operation' action since the module (curl in this case) is already at the newest version from the new base image we then use.

@mrutkows
Copy link

mrutkows commented Mar 3, 2020

@falkzoll thanks for your thorough answer ;)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@mrutkows mrutkows mrutkows approved these changes

@somaya10 somaya10 somaya10 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@falkzoll @mrutkows @somaya10