From 1194d3a6f576ae4c998abec2e7dce968fa56a481 Mon Sep 17 00:00:00 2001 From: Timo Tietavainen Date: Fri, 4 Jun 2021 22:08:55 +0300 Subject: [PATCH] Fix security issues in DBAAS docker image Anchore scan reported some security issues reported at CVE to exist in DBAAS base Docker image, Alpine 3.11. To fix the issues update these packages to DBAAS image on top of the Alpine 3.11: openssl (fixed in: 1.1.1k-r0)(CVE-2021-3449) openssl (fixed in: 1.1.1k-r0)(CVE-2021-3450) libssl1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3449) libssl1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3450) libcrypto1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3449) libcrypto1.1 (fixed in: 1.1.1k-r0)(CVE-2021-3450) musl-utils (fixed in: 1.1.24-r3)(CVE-2020-28928) ssl_client (fixed in: 1.31.1-r10)(CVE-2021-28831) busybox (fixed in: 1.31.1-r10)(CVE-2021-28831) Remove the install of the curl package what does not seem to be mandatory for DBAAS operations to exists. This also minimize possible security issues with curl in the future. Issue-ID: RIC-794 Signed-off-by: Timo Tietavainen Change-Id: I70d847f6438397d1f81bb3d6eb51e0c6f4dc2a57 --- container-tag.yaml | 2 +- docker/Dockerfile.redis | 4 ++-- docs/release-notes.rst | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/container-tag.yaml b/container-tag.yaml index e5de87a..8b64fad 100644 --- a/container-tag.yaml +++ b/container-tag.yaml @@ -2,4 +2,4 @@ # This file is expected to be in the docker build directory; # can be moved with suitable JJB configuration. --- -tag: '0.5.1' +tag: '0.5.2' diff --git a/docker/Dockerfile.redis b/docker/Dockerfile.redis index 1e2ffa8..50ffeea 100644 --- a/docker/Dockerfile.redis +++ b/docker/Dockerfile.redis @@ -73,7 +73,7 @@ RUN ./autogen.sh && \ FROM redis:5.0.9-alpine3.11 as build -RUN apk add --upgrade openssl -RUN apk add curl +RUN apk --update add --upgrade --no-cache openssl ssl_client musl-utils busybox + COPY --from=build-env /usr/local/libexec/redismodule/libredismodule.so /usr/local/libexec/redismodule/libredismodule.so WORKDIR /data diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 00cb3e2..37ecb2d 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -30,6 +30,10 @@ This document provides the release notes of the dbaas. Version history --------------- +[0.5.2] - 2021-06-04 + +* Upgrade packages to fix possible security vulnerability reported in Alpine base image. + [0.5.1] - 2021-02-25 * Upgrade SSL version to 1.1.1j-r0 to fix possible SSL security vulnerability. -- 2.16.6