From e83e0b907cba9e154853cdcae919ecde7124f945 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Fri, 15 Jul 2022 11:54:41 -0700 Subject: [PATCH 1/2] Include CVE fixes for gzip, cryptlibs --- Dockerfile.amd64 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index ede4b2f7d..a524dc888 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -111,6 +111,13 @@ COPY --from=centos /tmp/admin/runit-${RUNIT_VER}/command/* /usr/local/bin/ # Copy in our rpms COPY --from=centos /root/rpmbuild/RPMS/${ARCH}/* /tmp/rpms/ +# Install a subset of packages from UBI prior to removing the UBI repo below. +# We do this because the UBI repo has updated versions with CVE fixes. We can remove +# this once the CentOS repo updates the version of these packages. +# gzip >= 1.9-13.el8_5 +# cryptsetup-libs >= 2.3.3-4.el8_5.1 +RUN microdnf install gzip cryptsetup-libs + # Install the necessary packages, making sure that we're using only CentOS repos. # Since the ubi repos do not contain all the packages we need (they're missing conntrack-tools), # we're using CentOS repos for all our packages. Using packages from a single source (CentOS) makes From 3feac9477dc854da77dcf6dd3cfaf03eafb89b21 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Mon, 18 Jul 2022 12:53:48 -0700 Subject: [PATCH 2/2] Update BIRD version --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ac8fef062..5f517c692 100644 --- a/Makefile +++ b/Makefile @@ -60,7 +60,7 @@ K8S_VERSION = v1.18.6 ############################################################################### # Versions and location of dependencies used in the build. -BIRD_VERSION=v0.3.3-182-g4b493986 +BIRD_VERSION=v0.3.3-188-g0196eee4 BIRD_IMAGE ?= calico/bird:$(BIRD_VERSION)-$(ARCH) BIRD_SOURCE=filesystem/included-source/bird-$(BIRD_VERSION).tar.gz FELIX_GPL_SOURCE=filesystem/included-source/felix-ebpf-gpl.tar.gz