From ba7d66616c8bc9879434ed6b7fe6bb9ba471a1cd Mon Sep 17 00:00:00 2001 From: chenying83 Date: Mon, 23 Apr 2018 09:59:52 +0000 Subject: Fix library CVEs in SO Fix additional CVEs: Also refactored to use ubuntu apt repos instead of manually installing from launchpad. Issue-ID: SO-579 Change-Id: I58e29a7e0188452789741087bc9c4af82f102b09 Signed-off-by: chenying83 --- .../docker/docker-files/Dockerfile.mso-chef-final | 61 ++++++++++++++++++++-- 1 file changed, 57 insertions(+), 4 deletions(-) (limited to 'packages/docker') diff --git a/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final b/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final index 4b7bbaf776..771949fdfd 100644 --- a/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final +++ b/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final @@ -15,13 +15,67 @@ ENV https_proxy=$HTTPS_PROXY ENV CHEF_REPO_NAME="chef-repo" ENV CHEF_CONFIG_NAME="mso-config" -### Downloading dependencies +USER root +### Downloading dependencies +# Install specific system libraries to fix CVE vulnerabilities +RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/apt/sources.list && \ + echo "deb http://security.ubuntu.com/ubuntu/ artful-security main restricted" >> /etc/apt/sources.list && \ + echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \ + apt-get -y update + +# krb5 1.16-2build1 +# For CVE-2017-15088 CVE-2017-11462 +# libvorbis 1.3.5-4ubuntu0.2 +# For CVE-2017-14632 CVE-2017-14160 +# libx11 2:1.6.4-3 +# For CVE-2016-7943 CVE-2016-7942 +# libxtst 1.2.3-1 +# For CVE-2016-7951 +# ncurses 6.1-1ubuntu1 +# For CVE-2017-10685 CVE-2017-10684 +# libsqllite3-0 3.22.0-1 +# For CVE-2017-10989 +# libtiff5 4.0.8-5ubuntu0.1 +# For CVE-2017-9117 CVE-2016-9540 CVE-2016-9539 CVE-2016-9538 CVE-2016-9537 CVE-2016-9536 CVE-2016-9535 CVE-2016-9534 CVE-2016-9533 CVE-2015-8668 CVE-2015-7554 CVE-2016-6223 CVE-2017-5563 CVE-2016-3621 CVE-2016-8331 +# shadow 1:4.5-1ubuntu1 +# For CVE-2017-12424 +# perl-base 5.26.0-8ubuntu1.1 +# For CVE-2015-8608 CVE-2017-12883 +# openssl 1.1.0g-2ubuntu3 +# For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 CVE-2016-2176 +# zlib1g 1:1.2.11.dfsg-0ubuntu2 +# For CVE-2016-9843 CVE-2016-9841 CVE-2016-9842 CVE-2016-9840 +# libexpat1 2.2.5-3 +# For CVE-2016-0718 CVE-2016-4472 +# libc-bin libc6 2.26-0ubuntu2.1 +# For CVE-2018-6485 +# openssl 1.1.0g-2ubuntu3 +# For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 +# libpcre3 2:8.39-5ubuntu3 +# For CVE-2016-3191 CVE-2016-1283 USER root -RUN apt-get install -y netcat curl && curl -LO https://packages.chef.io/stable/ubuntu/12.04/chefdk_0.17.17-1_amd64.deb && curl -LO http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/1.5.4/mariadb-java-client-1.5.4.jar && apt-get remove --purge -y curl && apt-get autoremove -y +RUN apt-get -y install \ + libkrb5-3=1.16-2build1 krb5-locales=1.16-2build1 \ + libvorbis0a=1.3.5-4ubuntu0.2 \ + libx11-6=2:1.6.4-3 libx11-data=2:1.6.4-3 libx11-doc=2:1.6.4-3 libx11-xcb1=2:1.6.4-3 \ + libxtst6=2:1.2.3-1 \ + ncurses-base=6.1-1ubuntu1 ncurses-bin=6.1-1ubuntu1 libncurses5=6.1-1ubuntu1 libncursesw5=6.1-1ubuntu1 \ + libsqlite3-0=3.22.0-1 \ + libtiff5=4.0.8-5ubuntu0.1 \ + passwd=1:4.5-1ubuntu1 \ + perl-base=5.26.0-8ubuntu1.1 \ + zlib1g=1:1.2.11.dfsg-0ubuntu2 \ + libexpat1=2.2.5-3 \ + libc-bin=2.26-0ubuntu2.1 libc6=2.26-0ubuntu2.1 \ + openssl=1.1.0g-2ubuntu3 \ + libpcre3=2:8.39-5ubuntu3 + +RUN apt-get install -y netcat curl && curl -LO https://packages.chef.io/files/stable/chefdk/2.5.3/ubuntu/16.04/chefdk_2.5.3-1_amd64.deb && curl -LO http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/1.5.4/mariadb-java-client-1.5.4.jar && apt-get remove --purge -y curl && apt-get autoremove -y ### Install Chef -RUN dpkg -i chefdk_0.17.17-1_amd64.deb +#RUN dpkg -i chefdk_0.17.17-1_amd64.deb +RUN dpkg -i chefdk_2.5.3-1_amd64.deb COPY scripts/start-jboss-server.sh /opt/mso/scripts/start-jboss-server.sh @@ -97,4 +151,3 @@ VOLUME /shared ### Start EAP USER root CMD ["/opt/mso/scripts/start-jboss-server.sh"] - -- cgit 1.2.3-korg