summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGary Wu <gary.i.wu@huawei.com>2018-04-26 11:17:08 -0700
committerGary Wu <gary.i.wu@huawei.com>2018-05-16 20:20:48 -0700
commitb633d8594d1e2f68fce40c59b87780110e8694e1 (patch)
treea327ce59276c25b528fe9f9ac2d66c79f4ce79f9
parent962b69c39a72697aa82c6b4ceef1fe20fbb110b2 (diff)
Fix library CVEs in sdc-workflow-designer
Address additional CVEs in systme libraries. Remove explicit version numbers because those versions could get removed from the ubuntu repos, which will cause build failures. Instead, upgrade to the latest available versions. Change-Id: I02c28bfa64f12ca55ec6e731cf1056b4aa934765 Issue-ID: SDC-1201 Signed-off-by: Gary Wu <gary.i.wu@huawei.com>
-rw-r--r--distribution/src/main/docker/Dockerfile66
1 files changed, 45 insertions, 21 deletions
diff --git a/distribution/src/main/docker/Dockerfile b/distribution/src/main/docker/Dockerfile
index ebae7b13..bd28c615 100644
--- a/distribution/src/main/docker/Dockerfile
+++ b/distribution/src/main/docker/Dockerfile
@@ -12,15 +12,14 @@ RUN apt-get install -y openjdk-8-jdk
RUN apt-get -y upgrade
-# Install specific system libraries to fix CVE vulnerabilities
-RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/apt/sources.list && \
- echo "deb http://security.ubuntu.com/ubuntu/ artful-security main restricted" >> /etc/apt/sources.list && \
- echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \
+# Upgrade specific system libraries to fix CVE vulnerabilities
+RUN echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \
+ echo "deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted" >> /etc/apt/sources.list && \
apt-get -y update
# krb5 1.16-2build1
# For CVE-2017-15088 CVE-2017-11462
-# libvorbis 1.3.5-4ubuntu0.2
+# libvorbis 1.3.5-4.2
# For CVE-2017-14632 CVE-2017-14160
# libx11 2:1.6.4-3
# For CVE-2016-7943 CVE-2016-7942
@@ -30,30 +29,55 @@ RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/
# For CVE-2017-10685 CVE-2017-10684
# libsqllite3-0 3.22.0-1
# For CVE-2017-10989
-# libtiff5 4.0.8-5ubuntu0.1
+# libtiff5 4.0.9-5
# For CVE-2017-9117 CVE-2016-9540 CVE-2016-9539 CVE-2016-9538 CVE-2016-9537 CVE-2016-9536 CVE-2016-9535 CVE-2016-9534 CVE-2016-9533 CVE-2015-8668 CVE-2015-7554 CVE-2016-6223 CVE-2017-5563 CVE-2016-3621 CVE-2016-8331
# shadow 1:4.5-1ubuntu1
# For CVE-2017-12424
-# perl-base 5.26.0-8ubuntu1.1
+# perl-base 5.26.1-6
# For CVE-2015-8608 CVE-2017-12883
-# openssl 1.1.0g-2ubuntu3
+# openssl 1.1.0g-2ubuntu4
# For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 CVE-2016-2176
# zlib1g 1:1.2.11.dfsg-0ubuntu2
# For CVE-2016-9843 CVE-2016-9841 CVE-2016-9842 CVE-2016-9840
+# libdb5.3
+# CVE-2016-3418 CVE-2016-0694 CVE-2016-0692 CVE-2016-0689 CVE-2016-0682
+# libcairo2
+# CVE-2017-9814
+# libc-bin libc6 multiarch-support
+# CVE-2018-6485
+# libgtk2.0-0 libgtk2.0-bin libgtk2.0-common
+# CVE-2014-1949
+# libgcrypt20
+# CVE-2017-0379
+# libxi6
+# CVE-2016-7946 CVE-2016-7945
+# libxml2
+# CVE-2016-9318
+# libpcre3
+# CVE-2017-6004
-RUN apt-get -y install \
- libkrb5-3=1.16-2build1 krb5-locales=1.16-2build1 \
- libvorbis0a=1.3.5-4ubuntu0.2 \
- libx11-6=2:1.6.4-3 libx11-data=2:1.6.4-3 libx11-doc=2:1.6.4-3 libx11-xcb1=2:1.6.4-3 \
- libxtst6=2:1.2.3-1 \
- ncurses-base=6.1-1ubuntu1 ncurses-bin=6.1-1ubuntu1 libncurses5=6.1-1ubuntu1 libncursesw5=6.1-1ubuntu1 \
- libsqlite3-0=3.22.0-1 \
- libtiff5=4.0.8-5ubuntu0.1 \
- passwd=1:4.5-1ubuntu1 \
- perl-base=5.26.0-8ubuntu1.1 \
- openssl=1.1.0g-2ubuntu3 \
- zlib1g=1:1.2.11.dfsg-0ubuntu2
-
+RUN apt-get -y --only-upgrade install \
+ libkrb5-3 krb5-locales \
+ libvorbis0a \
+ libx11-6 libx11-data libx11-doc libx11-xcb1 \
+ libxtst6 \
+ ncurses-base ncurses-bin libncurses5 libncursesw5 \
+ libsqlite3-0 \
+ libtiff5 \
+ passwd \
+ perl-base \
+ libssl1.0.0 \
+ openssl \
+ zlib1g \
+ libdb5.3 \
+ libcairo2 \
+ libc-bin libc6 multiarch-support \
+ libgtk2.0-0 libgtk2.0-bin libgtk2.0-common \
+ libgcrypt20 \
+ libxi6 \
+ libxml2 \
+ libpcre3 && \
+ apt-get -y autoremove
#configure the JDK
RUN sed -i 's|#networkaddress.cache.ttl=-1|networkaddress.cache.ttl=10|' /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security