diff --git a/build/Dockerfile b/build/Dockerfile index 59c4cf5bd7..20f2cda2a4 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -16,8 +16,8 @@ FROM nginx:1.23.0 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \ - # temp fix for CVE-2022-2068 - && apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl \ + # temp fix for CVE-2022-2068, CVE-2021-4209, CVE-2022-34903, CVE-2022-27404 + && apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 gpgv libfreetype6 \ && rm -rf /var/lib/apt/lists/* \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ @@ -31,8 +31,8 @@ FROM docker.io/library/nginx:1.23.0-alpine AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ - # temp fix for CVE-2022-27405, CVE-2022-1586 - && apk upgrade --no-cache freetype pcre2 \ + # temp fix for CVE-2022-27405, CVE-2022-1586, CVE-2022-32205, CVE-2022-2097, CVE-2022-32205, CVE-2022-2097 + && apk upgrade --no-cache freetype pcre2 curl libcrypto1.1 libcurl libssl1.1 \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ && ldconfig /usr/local/lib/ @@ -45,7 +45,9 @@ ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ - wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + # temp fix for CVE-2022-2097 + apk upgrade --no-cache libcrypto1.1 libssl1.1 \ + && wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcurl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ @@ -64,8 +66,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \ - # temp fix for CVE-2022-2068 - && apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl \ + # temp fix for CVE-2022-2068, CVE-2021-4209 + && apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 \ && curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \ && curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \ && DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \ @@ -127,8 +129,8 @@ LABEL name="NGINX Ingress Controller" \ io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift" RUN dnf --nodocs install -y shadow-utils ca-certificates \ - # temp fix for CVE-2022-1271 - && dnf --nodocs upgrade -y xz-libs \ + # temp fix for CVE-2022-1271, CVE-2022-22576, CVE-2022-25313, CVE-2022-22576, CVE-2021-40528, CVE-2021-3634, CVE-2022-29824, CVE-2021-4189, CVE-2021-4189, CVE-2022-29824, CVE-2022-1621 + && dnf --nodocs upgrade -y xz-libs curl expat libcurl libgcrypt libssh libssh-config libxml2 platform-python python3-libs python3-libxml2 vim-minimal \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx