From f44b629a8a12a53bac7ef103cd88c4ffaefee95c Mon Sep 17 00:00:00 2001 From: Gary Wu Date: Thu, 26 Apr 2018 11:17:08 -0700 Subject: Fix library CVEs in sdc-workflow-designer Address additional CVEs in systme libraries. Remove explicit version numbers because those versions could get removed from the ubuntu repos, which will cause build failures. Instead, upgrade to the latest available versions. Change-Id: I02c28bfa64f12ca55ec6e731cf1056b4aa934765 Issue-ID: SDC-1201 Signed-off-by: Gary Wu (cherry picked from commit b633d8594d1e2f68fce40c59b87780110e8694e1) --- distribution/src/main/docker/Dockerfile | 66 ++++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 21 deletions(-) (limited to 'distribution/src/main') diff --git a/distribution/src/main/docker/Dockerfile b/distribution/src/main/docker/Dockerfile index ebae7b13..bd28c615 100644 --- a/distribution/src/main/docker/Dockerfile +++ b/distribution/src/main/docker/Dockerfile @@ -12,15 +12,14 @@ RUN apt-get install -y openjdk-8-jdk RUN apt-get -y upgrade -# Install specific system libraries to fix CVE vulnerabilities -RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/apt/sources.list && \ - echo "deb http://security.ubuntu.com/ubuntu/ artful-security main restricted" >> /etc/apt/sources.list && \ - echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \ +# Upgrade specific system libraries to fix CVE vulnerabilities +RUN echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \ + echo "deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted" >> /etc/apt/sources.list && \ apt-get -y update # krb5 1.16-2build1 # For CVE-2017-15088 CVE-2017-11462 -# libvorbis 1.3.5-4ubuntu0.2 +# libvorbis 1.3.5-4.2 # For CVE-2017-14632 CVE-2017-14160 # libx11 2:1.6.4-3 # For CVE-2016-7943 CVE-2016-7942 @@ -30,30 +29,55 @@ RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/ # For CVE-2017-10685 CVE-2017-10684 # libsqllite3-0 3.22.0-1 # For CVE-2017-10989 -# libtiff5 4.0.8-5ubuntu0.1 +# libtiff5 4.0.9-5 # For CVE-2017-9117 CVE-2016-9540 CVE-2016-9539 CVE-2016-9538 CVE-2016-9537 CVE-2016-9536 CVE-2016-9535 CVE-2016-9534 CVE-2016-9533 CVE-2015-8668 CVE-2015-7554 CVE-2016-6223 CVE-2017-5563 CVE-2016-3621 CVE-2016-8331 # shadow 1:4.5-1ubuntu1 # For CVE-2017-12424 -# perl-base 5.26.0-8ubuntu1.1 +# perl-base 5.26.1-6 # For CVE-2015-8608 CVE-2017-12883 -# openssl 1.1.0g-2ubuntu3 +# openssl 1.1.0g-2ubuntu4 # For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 CVE-2016-2176 # zlib1g 1:1.2.11.dfsg-0ubuntu2 # For CVE-2016-9843 CVE-2016-9841 CVE-2016-9842 CVE-2016-9840 +# libdb5.3 +# CVE-2016-3418 CVE-2016-0694 CVE-2016-0692 CVE-2016-0689 CVE-2016-0682 +# libcairo2 +# CVE-2017-9814 +# libc-bin libc6 multiarch-support +# CVE-2018-6485 +# libgtk2.0-0 libgtk2.0-bin libgtk2.0-common +# CVE-2014-1949 +# libgcrypt20 +# CVE-2017-0379 +# libxi6 +# CVE-2016-7946 CVE-2016-7945 +# libxml2 +# CVE-2016-9318 +# libpcre3 +# CVE-2017-6004 -RUN apt-get -y install \ - libkrb5-3=1.16-2build1 krb5-locales=1.16-2build1 \ - libvorbis0a=1.3.5-4ubuntu0.2 \ - libx11-6=2:1.6.4-3 libx11-data=2:1.6.4-3 libx11-doc=2:1.6.4-3 libx11-xcb1=2:1.6.4-3 \ - libxtst6=2:1.2.3-1 \ - ncurses-base=6.1-1ubuntu1 ncurses-bin=6.1-1ubuntu1 libncurses5=6.1-1ubuntu1 libncursesw5=6.1-1ubuntu1 \ - libsqlite3-0=3.22.0-1 \ - libtiff5=4.0.8-5ubuntu0.1 \ - passwd=1:4.5-1ubuntu1 \ - perl-base=5.26.0-8ubuntu1.1 \ - openssl=1.1.0g-2ubuntu3 \ - zlib1g=1:1.2.11.dfsg-0ubuntu2 - +RUN apt-get -y --only-upgrade install \ + libkrb5-3 krb5-locales \ + libvorbis0a \ + libx11-6 libx11-data libx11-doc libx11-xcb1 \ + libxtst6 \ + ncurses-base ncurses-bin libncurses5 libncursesw5 \ + libsqlite3-0 \ + libtiff5 \ + passwd \ + perl-base \ + libssl1.0.0 \ + openssl \ + zlib1g \ + libdb5.3 \ + libcairo2 \ + libc-bin libc6 multiarch-support \ + libgtk2.0-0 libgtk2.0-bin libgtk2.0-common \ + libgcrypt20 \ + libxi6 \ + libxml2 \ + libpcre3 && \ + apt-get -y autoremove #configure the JDK RUN sed -i 's|#networkaddress.cache.ttl=-1|networkaddress.cache.ttl=10|' /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security -- cgit 1.2.3-korg