2022-04-21
Release Notes / Changelog
Summary
The following container image updates have been made to remediate security concerns identified via vulnerability scanning and documented here.
VCS
Update container base image; cherry-pick v2.3.1 commit to fix jib plugin
adoptopenjdkpackage was marked deprecated on 08/2021;eclipse-temurinis recommended replacement per READMEjdk8u322-b06was released 08 MAR 2022, which should include latest security updates flagged by Ruvos security audit.also includes update to jib plugin to support base image declaration from
pom.xml, previously included in v2.3.1 but never released upstream
DSS
Add wget for probes
To reduce the impact of modifying the container base image, adding the missing wget package will return probes to normal working order, and not require any additional modification on the HLN or Ruvos side for normal container operation.
Remove ambiguous argument to adduser
The command '/bin/sh -c adduser -u 1000 -D appuser && rm -rf /usr/local/tomcat/webapps/docs /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/examples /usr/local/tomcat/webapps/host-manager /usr/local/tomcat/webapps/manager && mkdir -p /home/appuser/.opencds /home/appuser/.opencds-test /home/appuser/opencds-rckms-data/resources /home/appuser/opencds-rckms-data-test/resources /home/appuser/opencds-logs /home/appuser/opencds-logs-test' returned a non-zero code: 1 Option d is ambiguous (debug, disabled-login, disabled-password)
Per (manpage for adduser)[https://linux.die.net/man/8/adduser], appears it just applied system defaults -- which has since been udpated to be the default behavior.
Update container base image
tomcat:9-jre8-alpinewas last updated 15 MAY 2019 and contained Java8u212tomcat:9-jre8-temurinwas released 06 APR 2022, containing Javajdk8u322-b06, which should include latest security updates to resolve those flagged by Ruvos security auditPinning to this new image ensures we will receive future security updates, so long as this tag remains updated
DSS-PFC
Update Dockerfile for AWS deployments
Reviewing the aws-cli@v2 changelog, I don't see any s3 related breaking changes, so we'll use the latest image available, 2.5.7, which should include fixes for the sole vulnerability raised.
MTS
Remove/update binaries without breaking Java
Safe to apt remove:
apt remove:bzip2python
Upgraded to */stable, instead of being removed:
*/stable, instead of being removed:libpng16-16:[email protected], which is greater than1.6.28-1+deb9u1as noted in Ruvos vulnerability report spreadsheetlibsndfile1:[email protected], which is greater than1.0.27-3as noted in Ruvos vulnerability report spreadsheetlibsqlite3-0:[email protected], which is greater than3.16.2-5+deb9u3as noted in Ruvos vulnerability report spreadsheet[email protected]+deb11u1, which is greater than2.29.2-1+deb9u1as noted in Ruvos vulnerability report spreadsheet
Sustained as upgrade to */stable (performed in prior commit)
*/stable (performed in prior commit)[email protected]+deb11u3, which is greater than2.28-10+deb10u1as noted in Ruvos vulnerability report spreadsheetlibc6:[email protected]+deb11u3, which is greater than2.28-10+deb10u1as noted in Ruvos vulnerability report spreadsheetlibc6-dev:[email protected]+deb11u3, which is greater than2.28-10+deb10u1as noted in Ruvos vulnerability report spreadsheet
Update packages available with bullsye distro prior to install
The command '/bin/sh -c echo "deb http://deb.debian.org/debian bullseye main non-free contrib" >> /etc/apt/sources.list && apt -qq -y install libc6/stable libc6-dev/stable libc-dev-bin/stable' returned a non-zero code: 100 E: Release 'stable' for 'libc-dev-bin' was not found E: Release 'stable' for 'libc6-dev' was not found E: Release 'stable' for 'libc6' was not found
CAT-RCKMS
Update bootstrap to 3.4 due to 3.3 XSS vulnerability
Bill of Materials
Component
Shortname
SHA1
Tag
Last updated