Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the latest CVES #2834

Merged
merged 1 commit into from
Jul 11, 2022
Merged

Fix the latest CVES #2834

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 11 additions & 9 deletions build/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ FROM nginx:1.23.0 AS debian
RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
# temp fix for CVE-2022-2068
&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl \
# temp fix for CVE-2022-2068, CVE-2021-4209, CVE-2022-34903, CVE-2022-27404
&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 gpgv libfreetype6 \
&& rm -rf /var/lib/apt/lists/* \
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
Expand All @@ -31,8 +31,8 @@ FROM docker.io/library/nginx:1.23.0-alpine AS alpine

RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
apk add --no-cache libcap libstdc++ \
# temp fix for CVE-2022-27405, CVE-2022-1586
&& apk upgrade --no-cache freetype pcre2 \
# temp fix for CVE-2022-27405, CVE-2022-1586, CVE-2022-32205, CVE-2022-2097, CVE-2022-32205, CVE-2022-2097
&& apk upgrade --no-cache freetype pcre2 curl libcrypto1.1 libcurl libssl1.1 \
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
&& ldconfig /usr/local/lib/
Expand All @@ -45,7 +45,9 @@ ARG NGINX_PLUS_VERSION
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
# temp fix for CVE-2022-2097
apk upgrade --no-cache libcrypto1.1 libssl1.1 \
&& wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
&& printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& apk add --no-cache libcap nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcurl \
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
Expand All @@ -64,8 +66,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
--mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \
# temp fix for CVE-2022-2068
&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl \
# temp fix for CVE-2022-2068, CVE-2021-4209
&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 \
&& curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \
&& curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
&& DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \
Expand Down Expand Up @@ -127,8 +129,8 @@ LABEL name="NGINX Ingress Controller" \
io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift"

RUN dnf --nodocs install -y shadow-utils ca-certificates \
# temp fix for CVE-2022-1271
&& dnf --nodocs upgrade -y xz-libs \
# temp fix for CVE-2022-1271, CVE-2022-22576, CVE-2022-25313, CVE-2022-22576, CVE-2021-40528, CVE-2021-3634, CVE-2022-29824, CVE-2021-4189, CVE-2021-4189, CVE-2022-29824, CVE-2022-1621
&& dnf --nodocs upgrade -y xz-libs curl expat libcurl libgcrypt libssh libssh-config libxml2 platform-python python3-libs python3-libxml2 vim-minimal \
&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx

Expand Down