Skip to content

Commit

Permalink
Update packages for CVEs (#3447)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lucacome
lucacome committed Jan 18, 2023
1 parent 3b98ef8 commit 809d044
Showing 1 changed file with 2 additions and 6 deletions.
8 changes: 2 additions & 6 deletions build/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@ FROM nginx:1.23.3 AS debian
RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
# temp fix for CVE-2021-46848
&& apt-get install -y libtasn1-6 \
&& rm -rf /var/lib/apt/lists/* \
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
Expand Down Expand Up @@ -66,8 +64,6 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
&& printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcurl4 \
# temp fix for CVE-2021-46848
&& apt-get install -y libtasn1-6 \
&& apt-get purge --auto-remove -y apt-transport-https gnupg curl \
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& ldconfig \
Expand Down Expand Up @@ -131,8 +127,8 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
dnf --nodocs install -y shadow-utils ca-certificates \
# temp fix for CVE-2022-1304 CVE-2016-3709 and CVE-2022-42898
&& dnf --nodocs install -y libcom_err libxml2 krb5-libs \
# temp fix for CVE-2022-1304 CVE-2016-3709, CVE-2022-42898, CVE-2022-42010, CVE-2022-43680, CVE-2022-3821, CVE-2021-46848 and CVE-2022-35737
&& dnf --nodocs upgrade -y libcom_err libxml2 krb5-libs dbus expat systemd libtasn1 sqlite-libs \
&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
&& rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \
Expand Down

0 comments on commit 809d044

Please sign in to comment.