From 07747d0669c986c537310995d0552b5c117f6ebb Mon Sep 17 00:00:00 2001 From: "Mahadik, Mukul Chandrakant" Date: Fri, 15 Dec 2023 18:38:12 -0700 Subject: [PATCH 1/2] Fixing latest Docker image vulnerabilities AWS Inspector found the following vulnerable packages: CRITICAL perl HIGH nghttp2, libnghttp2-14 cryptography, libssl3 cryptography libc6, libc-bin Upgraded perl, libssl3, nghttp2 packages by upgrading base Ubuntu image to latest of the same LTS version - jammy (22.04). Cryptography package was fixed by mentioning required version to be installed using conda. Libc6, Libc-bin can be fixed by using apt-get upgrade but this upgrades all packages which is not recommended as a blanket upgrade fix. --- .docker/setup_config.sh | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.docker/setup_config.sh b/.docker/setup_config.sh index 63f034406..a6005a12d 100644 --- a/.docker/setup_config.sh +++ b/.docker/setup_config.sh @@ -13,7 +13,7 @@ source setup/setup.sh ## 10/02 - Mukul ## - Above comments talk about manually updating cryptography to version 40 ## - I have upgraded to 41.0.4 as per latest vulnerability fixes. -conda install -c conda-forge cryptography=41.0.4 wheel=0.40.0 +conda install -c conda-forge cryptography=41.0.7 wheel=0.40.0 ## Remove the old, unused packages to avoid tripping up the checker rm -rf /root/miniconda-23.1.0/pkgs/cryptography-38.0.4-py39h9ce1e76_0 diff --git a/Dockerfile b/Dockerfile index 9ede21298..7899f5060 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # python 3 -FROM ubuntu:jammy-20231004 +FROM ubuntu:jammy-20231128 MAINTAINER K. Shankari (shankari@eecs.berkeley.edu) From c1b0889b50a3e2da8cc799f914010575c3f13326 Mon Sep 17 00:00:00 2001 From: "Mahadik, Mukul Chandrakant" Date: Mon, 18 Dec 2023 11:04:25 -0700 Subject: [PATCH 2/2] Upgraded Ubuntu base image Latest Ubuntu base image was just released officially by Docker which contains updated version of libc6 and libc-bin. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7899f5060..7fa923ea0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # python 3 -FROM ubuntu:jammy-20231128 +FROM ubuntu:jammy-20231211.1 MAINTAINER K. Shankari (shankari@eecs.berkeley.edu)