[FOLIO-3904] Rebuild jenkins-slave-docker fixing curl CVEs Created: 06/Oct/23  Updated: 18/Oct/23  Resolved: 18/Oct/23

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Julian Ladisch Assignee: David Crossley
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps Requests
Development Team: FOLIO DevOps
RCA Group: TBD

 Description   

https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.jammy-java-11 and
https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.jammy-java-17
use vulnerable 7.81.0-1ubuntu1.13 version of curl/libcurl
This version has two security vulnerabilities (CVE-2023-38545, CVE-2023-38546), one of them of high severity:
https://github.com/curl/curl/discussions/12026

Ubuntun will release a fixed version on October 11, 2023.
Please check https://packages.ubuntu.com/search?suite=jammy-updates&section=all&arch=any&keywords=curl&searchon=names

If you see that the fixed version is available please rebuild FOLIO's two jenkins-slave-docker containers. No change to the Dockerfiles is needed because they automatically run "apt-get upgrade" at build time.
 



 Comments   
Comment by David Crossley [ 13/Oct/23 ]

I am away on holidays. Back Tuesday my time. No promises.

Comment by David Crossley [ 18/Oct/23 ]

The new images are built, tested, and pushed as:
"folioci/jenkins-slave-all:java-17" and "3.0.11".
"folioci/jenkins-slave-all:java-11" and "2.10.11".

Generated at Thu Feb 08 23:31:38 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.