From 6f82a9a07c6729986fe5627e2bd064c8d230153c Mon Sep 17 00:00:00 2001
From: Alisha Mayor <amayor@splunk.com>
Date: Wed, 26 May 2021 13:37:06 -0700
Subject: [PATCH 1/4] Fix libpqquality package errata

---
 base/redhat-8/install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/redhat-8/install.sh b/base/redhat-8/install.sh
index 783b1869..77670f67 100755
--- a/base/redhat-8/install.sh
+++ b/base/redhat-8/install.sh
@@ -29,7 +29,7 @@ export LANG=en_US.utf8
 microdnf -y --nodocs install wget sudo shadow-utils procps tar tzdata make gcc \
                              openssl-devel bzip2-devel libffi-devel findutils
 # Patch security updates
-microdnf -y --nodocs update gnutls kernel-headers librepo libnghttp2 tzdata nettle
+microdnf -y --nodocs update gnutls kernel-headers librepo libnghttp2 tzdata nettle libpwquality
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
@@ -60,7 +60,7 @@ ldconfig
 
 microdnf remove -y make gcc openssl-devel bzip2-devel libffi-devel findutils cpp binutils \
                    glibc-devel keyutils-libs-devel krb5-devel libcom_err-devel libselinux-devel \
-                   libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel cracklib-dicts
+                   libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel
 microdnf clean all
 
 # Install scloud

From 61f6bad52260e931c7b527add8e33772395837a7 Mon Sep 17 00:00:00 2001
From: Alisha Mayor <amayor@splunk.com>
Date: Wed, 26 May 2021 14:56:23 -0700
Subject: [PATCH 2/4] Managing trivy vulns

---
 .trivyignore | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index 905b451b..19d7a228 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,7 +1,8 @@
-# Both of these are coming from this file, but it's not actually installed in the container
+# These are coming from the file below, but it's not actually installed in the container
 # /usr/lib/python3.7/site-packages/ansible_collections/netbox/netbox/poetry.lock
 CVE-2020-36242
 CVE-2020-14343
+CVE-2021-29510
 
 # Downgraded to LOW severity by the Product Security team as the packages are not actually
 # shipped with the release.
@@ -22,4 +23,7 @@ CVE-2020-25649
 # Fixed by Apache Spark in versions 3.0.3, 3.1.2, 3.2.0
 CVE-2020-27216
 CVE-2021-28165
-CVE-2020-27216
\ No newline at end of file
+CVE-2020-27216
+
+# Ignoring for now -- escalated to ProdSec
+CVE-2021-27568

From 30c7fe7573ea9edaed3e11b1a2af38267d97ad42 Mon Sep 17 00:00:00 2001
From: Alisha Mayor <amayor@splunk.com>
Date: Wed, 26 May 2021 15:32:31 -0700
Subject: [PATCH 3/4] More security patching

---
 base/debian-10/install.sh | 2 +-
 base/debian-9/install.sh  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/debian-10/install.sh b/base/debian-10/install.sh
index 1b56f9ae..abe40351 100755
--- a/base/debian-10/install.sh
+++ b/base/debian-10/install.sh
@@ -33,7 +33,7 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
                                            libffi-dev libssl-dev make build-essential libbz2-dev \
                                            wget xz-utils ca-certificates zlib1g-dev python3-apt \
-                                           p11-kit
+                                           p11-kit lz4
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
diff --git a/base/debian-9/install.sh b/base/debian-9/install.sh
index b52aa612..b7cdb04b 100755
--- a/base/debian-9/install.sh
+++ b/base/debian-9/install.sh
@@ -32,7 +32,7 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 # Install utility packages
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
                                            libffi-dev libssl-dev make build-essential libbz2-dev \
-                                           wget xz-utils ca-certificates zlib1g-dev
+                                           wget xz-utils ca-certificates zlib1g-dev lz4
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}

From f332aac2b1ba8248dca1c418a9e79e5f2bd0aee7 Mon Sep 17 00:00:00 2001
From: Alisha Mayor <amayor@splunk.com>
Date: Wed, 26 May 2021 17:12:13 -0700
Subject: [PATCH 4/4] Nelson blames Ansible

---
 base/redhat-8/install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/redhat-8/install.sh b/base/redhat-8/install.sh
index 77670f67..c5e8e2a2 100755
--- a/base/redhat-8/install.sh
+++ b/base/redhat-8/install.sh
@@ -51,7 +51,7 @@ ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python
 ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
 # Install splunk-ansible dependencies
 cd /
-pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible jmespath --upgrade
+pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 jmespath --upgrade
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;