search

actinia-org / actinia-docker

Various Dockerimages and docker-compose configs for actinia (see also https://hub.docker.com/r/mundialis/actinia/tags and https://hub.docker.com/r/mundialis/actinia-core/tags)
GNU General Public License v3.0
2 stars 3 forks source link

libcurl: security issue with high severity #62

Closed ninsbl closed 1 year ago

ninsbl commented 1 year ago

Colleagues informed me about a security issue in libcurl / curl with high severity. Se more info here: https://stackdiary.com/curl-high-severity-flaw-cve-2023-38545/

A libcurl maintainer tweeted:

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.

https://twitter.com/bagder/status/1709103920914526525

Maybe worth investigating how to update tomorrow (11.10.2023)...

mmacata commented 1 year ago

For alpine I triggered the build of the dependency image: https://github.com/actinia-org/actinia-docker/actions/runs/6494060496 It should be fixed inside. I will check after build, then update the final image.

mmacata commented 1 year ago

I am a bit confused about the ubuntu fix. It looks like the new version (7.81.0-1ubuntu1.14 which has the fix) is installed but the version shows no difference. Is this correct? Or am I missing something?


11:56 $ docker run --rm -it --entrypoint sh osgeo/grass-gis:current-ubuntu
# curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

# apt update
[...]
11 packages can be upgraded. Run 'apt list --upgradable' to see them.

# apt list --upgradable
Listing... Done
curl/jammy-updates,jammy-security 7.81.0-1ubuntu1.14 amd64 [upgradable from: 7.81.0-1ubuntu1.13]
libcurl3-gnutls/jammy-updates,jammy-security 7.81.0-1ubuntu1.14 amd64 [upgradable from: 7.81.0-1ubuntu1.13]
libcurl4-gnutls-dev/jammy-updates,jammy-security 7.81.0-1ubuntu1.14 amd64 [upgradable from: 7.81.0-1ubuntu1.13]
libcurl4/jammy-updates,jammy-security 7.81.0-1ubuntu1.14 amd64 [upgradable from: 7.81.0-1ubuntu1.13]
[...]

# apt upgrade curl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  curl libcurl3-gnutls libcurl4 libcurl4-gnutls-dev libtiff-dev libtiff5 libtiffxx5 vim vim-common vim-runtime
  xxd
11 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.3 MB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 vim amd64 2:8.2.3995-1ubuntu2.12 [1,730 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 vim-runtime all 2:8.2.3995-1ubuntu2.12 [6,826 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 xxd amd64 2:8.2.3995-1ubuntu2.12 [54.2 kB]     
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 vim-common all 2:8.2.3995-1ubuntu2.12 [81.5 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 curl amd64 7.81.0-1ubuntu1.14 [194 kB]         
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcurl4 amd64 7.81.0-1ubuntu1.14 [290 kB]     
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcurl4-gnutls-dev amd64 7.81.0-1ubuntu1.14 [379 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcurl3-gnutls amd64 7.81.0-1ubuntu1.14 [284 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libtiff-dev amd64 4.3.0-6ubuntu0.6 [314 kB]    
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libtiff5 amd64 4.3.0-6ubuntu0.6 [183 kB]      
Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libtiffxx5 amd64 4.3.0-6ubuntu0.6 [5,744 B]   
Fetched 10.3 MB in 7s (1,524 kB/s)                                                                             
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 50466 files and directories currently installed.)
Preparing to unpack .../00-vim_2%3a8.2.3995-1ubuntu2.12_amd64.deb ...
Unpacking vim (2:8.2.3995-1ubuntu2.12) over (2:8.2.3995-1ubuntu2.11) ...
Preparing to unpack .../01-vim-runtime_2%3a8.2.3995-1ubuntu2.12_all.deb ...
Unpacking vim-runtime (2:8.2.3995-1ubuntu2.12) over (2:8.2.3995-1ubuntu2.11) ...
Preparing to unpack .../02-xxd_2%3a8.2.3995-1ubuntu2.12_amd64.deb ...
Unpacking xxd (2:8.2.3995-1ubuntu2.12) over (2:8.2.3995-1ubuntu2.11) ...
Preparing to unpack .../03-vim-common_2%3a8.2.3995-1ubuntu2.12_all.deb ...
Unpacking vim-common (2:8.2.3995-1ubuntu2.12) over (2:8.2.3995-1ubuntu2.11) ...
Preparing to unpack .../04-curl_7.81.0-1ubuntu1.14_amd64.deb ...
Unpacking curl (7.81.0-1ubuntu1.14) over (7.81.0-1ubuntu1.13) ...
Preparing to unpack .../05-libcurl4_7.81.0-1ubuntu1.14_amd64.deb ...
Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.14) over (7.81.0-1ubuntu1.13) ...
Preparing to unpack .../06-libcurl4-gnutls-dev_7.81.0-1ubuntu1.14_amd64.deb ...
Unpacking libcurl4-gnutls-dev:amd64 (7.81.0-1ubuntu1.14) over (7.81.0-1ubuntu1.13) ...
Preparing to unpack .../07-libcurl3-gnutls_7.81.0-1ubuntu1.14_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.14) over (7.81.0-1ubuntu1.13) ...
Preparing to unpack .../08-libtiff-dev_4.3.0-6ubuntu0.6_amd64.deb ...
Unpacking libtiff-dev:amd64 (4.3.0-6ubuntu0.6) over (4.3.0-6ubuntu0.5) ...
Preparing to unpack .../09-libtiff5_4.3.0-6ubuntu0.6_amd64.deb ...
Unpacking libtiff5:amd64 (4.3.0-6ubuntu0.6) over (4.3.0-6ubuntu0.5) ...
Preparing to unpack .../10-libtiffxx5_4.3.0-6ubuntu0.6_amd64.deb ...
Unpacking libtiffxx5:amd64 (4.3.0-6ubuntu0.6) over (4.3.0-6ubuntu0.5) ...
Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.14) ...
Setting up libcurl4-gnutls-dev:amd64 (7.81.0-1ubuntu1.14) ...
Setting up xxd (2:8.2.3995-1ubuntu2.12) ...
Setting up vim-common (2:8.2.3995-1ubuntu2.12) ...
Setting up libcurl4:amd64 (7.81.0-1ubuntu1.14) ...
Setting up libtiff5:amd64 (4.3.0-6ubuntu0.6) ...
Setting up curl (7.81.0-1ubuntu1.14) ...
Setting up vim-runtime (2:8.2.3995-1ubuntu2.12) ...
Setting up libtiffxx5:amd64 (4.3.0-6ubuntu0.6) ...
Setting up vim (2:8.2.3995-1ubuntu2.12) ...
Setting up libtiff-dev:amd64 (4.3.0-6ubuntu0.6) ...
Processing triggers for libc-bin (2.35-0ubuntu3.4) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...

# curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
ninsbl commented 1 year ago

Yes, I expected also 8.4 to be shipped. But Ubuntu fixed it obviously in 7.81.0-1ubuntu1.14 See: https://ubuntu.com/security/notices/USN-6429-1 So this should be safe now...

mmacata commented 1 year ago

For alpine I made a release and mundialis/actinia:2.6.4 contains now curl 8.4.0 .

For ubuntu there is no github workflow. A local build should be fine as the steps apt update and apt install curl are contained but I am currently building locally and not sure. If curl is already installed I guess it would not update the version. So let's wait.

mmacata commented 1 year ago

In the local build for ubuntu some changes not related to curl were needed. After successful build, curl 7.81.0-1ubuntu1.14 is inside. So all good now :)