From: Timo Tietavainen Date: Fri, 4 Jun 2021 19:08:55 +0000 (+0300) Subject: Fix security issues in DBAAS docker image X-Git-Tag: 0.5.2^0 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=1194d3a6f576ae4c998abec2e7dce968fa56a481;p=ric-plt%2Fdbaas.git Fix security issues in DBAAS docker image Anchore scan reported some security issues reported at CVE to exist in DBAAS base Docker image, Alpine 3.11. To fix the issues update these packages to DBAAS image on top of the Alpine 3.11: openssl (fixed in: 1.1.1k-r0)(CVE-2021-3449) openssl (fixed in: 1.1.1k-r0)(CVE-2021-3450) libssl1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3449) libssl1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3450) libcrypto1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3449) libcrypto1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3450) musl-utils (fixed in: 1.1.24-r3)(CVE-2020-28928) ssl_client (fixed in: 1.31.1-r10)(CVE-2021-28831) busybox (fixed in: 1.31.1-r10)(CVE-2021-28831) Remove the install of the curl package what does not seem to be mandatory for DBAAS operations to exists. This also minimize possible security issues with curl in the future. Issue-ID: RIC-794 Signed-off-by: Timo Tietavainen Change-Id: I70d847f6438397d1f81bb3d6eb51e0c6f4dc2a57 --- diff --git a/container-tag.yaml b/container-tag.yaml index e5de87a..8b64fad 100644 --- a/container-tag.yaml +++ b/container-tag.yaml @@ -2,4 +2,4 @@ # This file is expected to be in the docker build directory; # can be moved with suitable JJB configuration. --- -tag: '0.5.1' +tag: '0.5.2' diff --git a/docker/Dockerfile.redis b/docker/Dockerfile.redis index 1e2ffa8..50ffeea 100644 --- a/docker/Dockerfile.redis +++ b/docker/Dockerfile.redis @@ -73,7 +73,7 @@ RUN ./autogen.sh && \ FROM redis:5.0.9-alpine3.11 as build -RUN apk add --upgrade openssl -RUN apk add curl +RUN apk --update add --upgrade --no-cache openssl ssl_client musl-utils busybox + COPY --from=build-env /usr/local/libexec/redismodule/libredismodule.so /usr/local/libexec/redismodule/libredismodule.so WORKDIR /data diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 00cb3e2..37ecb2d 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -30,6 +30,10 @@ This document provides the release notes of the dbaas. Version history --------------- +[0.5.2] - 2021-06-04 + +* Upgrade packages to fix possible security vulnerability reported in Alpine base image. + [0.5.1] - 2021-02-25 * Upgrade SSL version to 1.1.1j-r0 to fix possible SSL security vulnerability.