Merge pull request #1397 from caseydavenport/casey-cve-fixes

[release-v3.20] Include CVE fixes for gzip, cryptlibs
projectcalico · Jul 18, 2022 · d33bafc · d33bafc
2 parents d44cf93 + 3feac94
commit d33bafc
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
@@ -111,6 +111,13 @@ COPY --from=centos  /tmp/admin/runit-${RUNIT_VER}/command/* /usr/local/bin/
 # Copy in our rpms
 COPY --from=centos  /root/rpmbuild/RPMS/${ARCH}/* /tmp/rpms/
 
+# Install a subset of packages from UBI prior to removing the UBI repo below.
+# We do this because the UBI repo has updated versions with CVE fixes. We can remove
+# this once the CentOS repo updates the version of these packages.
+# gzip >= 1.9-13.el8_5
+# cryptsetup-libs >= 2.3.3-4.el8_5.1
+RUN microdnf install gzip cryptsetup-libs
+
 # Install the necessary packages, making sure that we're using only CentOS repos.
 # Since the ubi repos do not contain all the packages we need (they're missing conntrack-tools),
 # we're using CentOS repos for all our packages. Using packages from a single source (CentOS) makes

diff --git a/Makefile b/Makefile
@@ -60,7 +60,7 @@ K8S_VERSION = v1.18.6
 ###############################################################################
 
 # Versions and location of dependencies used in the build.
-BIRD_VERSION=v0.3.3-182-g4b493986
+BIRD_VERSION=v0.3.3-188-g0196eee4
 BIRD_IMAGE ?= calico/bird:$(BIRD_VERSION)-$(ARCH)
 BIRD_SOURCE=filesystem/included-source/bird-$(BIRD_VERSION).tar.gz
 FELIX_GPL_SOURCE=filesystem/included-source/felix-ebpf-gpl.tar.gz