Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update packages for CVEs #3258

Merged
merged 2 commits into from
Nov 16, 2022
Merged

Update packages for CVEs #3258

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c5c0c07
Update packages for CVEs
lucacome Nov 15, 2022
113602d
Merge branch 'main' into chore/update-cve
lucacome Nov 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 5 additions & 6 deletions build/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ FROM nginx:1.23.2 AS debian
RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
# temp fix for CVE-2022-40674
&& apt-get install -y libexpat1 \
&& rm -rf /var/lib/apt/lists/* \
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
Expand All @@ -29,8 +27,6 @@ FROM nginx:1.23.2-alpine AS alpine

RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
apk add --no-cache libcap libstdc++ \
# temp fix for CVE-2022-3209 and CVE-2022-35252
&& apk upgrade --no-cache libxml2 curl libcurl \
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
&& ldconfig /usr/local/lib/
Expand Down Expand Up @@ -90,8 +86,6 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
&& printf "%s\n" "deb https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/debian ${DEBIAN_VERSION} nginx-plus" \
"deb https://pkgs.nginx.com/app-protect-security-updates/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-app-protect.list \
&& apt-get update \
# temp fix for CVE-2022-37434 and DLA-3112-1
&& apt-get install zlib1g libbz2-1.0 \
&& apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns \
&& apt-get purge --auto-remove -y curl; \
fi \
Expand Down Expand Up @@ -125,6 +119,9 @@ LABEL name="NGINX Ingress Controller" \

COPY --link --chown=101:0 LICENSE /licenses/

# temp fix for CVE-2022-27404, CVE-2022-33099 and CVE-2022-37434
RUN microdnf --nodocs upgrade -y freetype lua-libs zlib


############################################# Base image for UBI with NGINX Plus #############################################
FROM redhat/ubi8 AS ubi-plus
Expand All @@ -134,6 +131,8 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
dnf --nodocs install -y shadow-utils ca-certificates \
# temp fix for CVE-2022-1304 and CVE-2016-3709
&& dnf --nodocs install -y libcom_err libxml2 \
&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
&& rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \
Expand Down