CircleCI-Public / cimg-base

The CircleCI Base (Ubuntu) Docker Convenience Image.
https://circleci.com/developer/images/image/cimg/base
MIT License
74 stars 42 forks source link

chore: Bump docker-compose for security purpose #245

Closed PerfectSlayer closed 1 year ago

PerfectSlayer commented 1 year ago

Update docker-compose version to patch security issues (from Trivy scanner):

usr/local/lib/docker/cli-plugins/docker-compose (gobinary)

├──────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc   │ CVE-2023-27561      │ HIGH     │ v1.1.3            │ v1.1.5        │ runc: volume mount race condition (regression of         │
│                                  │                     │          │                   │               │ CVE-2019-19921)                                          │
│                                  │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561               │
├──────────────────────────────────┼─────────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤

Docker-compose 2.17.3 has updated runc to 1.1.5 that fixes multiple CVE.

JalexChen commented 1 year ago

hi @PerfectSlayer - would you mind rebasing your branch on main to include the new changes? The new build for this month will go live tomorrow, so i want to make sure this is included

PerfectSlayer commented 1 year ago

Rebase done ✔️

JalexChen commented 1 year ago

@BytesGuy need a merge