Closed AB-xdev closed 1 year ago
libksba8 is pulled in by the install of gnupg during the build of mariadb container. It isn't actually used by mariadb directly and mariadb doesn't call to the executables kbxutil, dirmngt or gpgsm from the gnupg package and they aren't used during the build either as nothing is x509/cms based.
I think I can get away with a gpg
only package and avoid the wider gnupg
. I'll test this early next week.
Ubuntu updates occur as part of the official images period like this pr and after those are build, every dependant container image, like mariadb will automaticity get rebuilt.
Seems I was wrong, dirmngr
is used (only) in the build:
diff --git a/10.10/Dockerfile b/10.10/Dockerfile
index 407b7be..72f4a05 100644
--- a/10.10/Dockerfile
+++ b/10.10/Dockerfile
@@ -8,7 +8,7 @@ RUN groupadd -r mysql && useradd -r -g mysql mysql
RUN set -ex; \
apt-get update; \
if ! which gpg; then \
- apt-get install -y --no-install-recommends gnupg; \
+ apt-get install -y --no-install-recommends gpgv gpg; \
fi; \
rm -rf /var/lib/apt/lists/*
build:
...
+ wget -q -O /usr/local/bin/gosu.asc https://github.com/tianon/gosu/releases/download/1.14/gosu-amd64.asc
+ mktemp -d
+ GNUPGHOME=/tmp/tmp.RcAauxCkdZ
+ export GNUPGHOME
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
gpg: keybox '/tmp/tmp.RcAauxCkdZ/pubring.kbx' created
gpg: error running '/usr/bin/dirmngr': probably not installed
gpg: failed to start the dirmngr '/usr/bin/dirmngr': Configuration error
gpg: connecting dirmngr at '/tmp/tmp.RcAauxCkdZ/S.dirmngr' failed: Configuration error
gpg: keyserver receive failed: No dirmngr
So dirmngr is used for accessing opengpg key servers.
The images have been rebuilt due to the change of ubuntu base:
$ podman run -ti mariadb:latest bash
root@47b848fe6ecf:/# apt-cache show libksba8
Package: libksba8
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 302
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: same
Source: libksba
Version: 1.6.0-2ubuntu0.1
Ref: #475
New releases are also coming out very soon.
Since a few days our codescanner is finding the following vulnerability inside the mariadb Image:
The problem was already fixed inside ubuntu: https://ubuntu.com/security/CVE-2022-3515
If mariadb is affected by the CVE I recommend that you re-releases the existing images (with an updated ubuntu-base Image). If it's not affected I recommend that you remove the library.