2022-04-21
Last updated
Last updated
The following container image updates have been made to remediate security concerns identified via vulnerability scanning and documented .
adoptopenjdk package was marked deprecated on 08/2021; eclipse-temurin is recommended replacement per README
jdk8u322-b06 was released 08 MAR 2022, which should include latest security updates flagged by Ruvos security audit.
also includes update to jib plugin to support base image declaration from pom.xml, previously included in v2.3.1 but never released upstream
To reduce the impact of modifying the container base image, adding the missing wget package will return probes to normal working order, and not require any additional modification on the HLN or Ruvos side for normal container operation.
The command '/bin/sh -c adduser -u 1000 -D appuser && rm -rf /usr/local/tomcat/webapps/docs /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/examples /usr/local/tomcat/webapps/host-manager /usr/local/tomcat/webapps/manager && mkdir -p /home/appuser/.opencds /home/appuser/.opencds-test /home/appuser/opencds-rckms-data/resources /home/appuser/opencds-rckms-data-test/resources /home/appuser/opencds-logs /home/appuser/opencds-logs-test' returned a non-zero code: 1 Option d is ambiguous (debug, disabled-login, disabled-password)
Per (manpage for adduser)[https://linux.die.net/man/8/adduser], appears it just applied system defaults -- which has since been udpated to be the default behavior.
tomcat:9-jre8-alpine was last updated 15 MAY 2019 and contained Java 8u212
tomcat:9-jre8-temurin was released 06 APR 2022, containing Java jdk8u322-b06, which should include latest security updates to resolve those flagged by Ruvos security audit
Pinning to this new image ensures we will receive future security updates, so long as this tag remains updated
apt remove:bzip2
python
*/stable, instead of being removed:libpng16-16:amd64@1.6.37-3, which is greater than 1.6.28-1+deb9u1 as noted in Ruvos vulnerability report spreadsheet
libsndfile1:amd64@1.0.31-2, which is greater than 1.0.27-3 as noted in Ruvos vulnerability report spreadsheet
libsqlite3-0:amd64@3.34.1-3, which is greater than 3.16.2-5+deb9u3 as noted in Ruvos vulnerability report spreadsheet
util-linux@2.36.1-8+deb11u1, which is greater than 2.29.2-1+deb9u1 as noted in Ruvos vulnerability report spreadsheet
*/stable (performed in prior commit)libc-bin@2.31-13+deb11u3, which is greater than 2.28-10+deb10u1 as noted in Ruvos vulnerability report spreadsheet
libc6:amd64@2.31-13+deb11u3, which is greater than 2.28-10+deb10u1 as noted in Ruvos vulnerability report spreadsheet
libc6-dev:amd64@2.31-13+deb11u3, which is greater than 2.28-10+deb10u1 as noted in Ruvos vulnerability report spreadsheet
The command '/bin/sh -c echo "deb http://deb.debian.org/debian bullseye main non-free contrib" >> /etc/apt/sources.list && apt -qq -y install libc6/stable libc6-dev/stable libc-dev-bin/stable' returned a non-zero code: 100 E: Release 'stable' for 'libc-dev-bin' was not found E: Release 'stable' for 'libc6-dev' was not found E: Release 'stable' for 'libc6' was not found
Update bootstrap to 3.4 due to 3.3 XSS vulnerability
Component
Shortname
SHA1
Tag
CAT
96c8f57
DSUS
29b5d30
DSS
70240ca
dss-preflight-container
DSS-PFC
7b929b3
MTS
a7ce889
OUS
3525806
RRS
f11c8be
RGS
463fd9d
SS
774f4fb
SSCS
2736989
VCS
bdc5ff7
Reviewing the aws-cli@v2 , I don't see any s3 related breaking changes, so we'll use the latest image available, 2.5.7, which should include fixes for the sole vulnerability raised.