Open maxres-ch opened 3 weeks ago
Is there a way to install git-lfs from the mantic
source while not impacting other packages?
Interestingly, it does seem to be ok with not adding dependencies
docker run --entrypoint '' --user 0:0 -it --rm quay.io/argoproj/argocd:v2.11.3 bash
# installed editor and run apt-update after adding source.list
root@bb35a6461be2:/home/argocd# cat /etc/apt/preferences.d/99mantic
Package: *
Pin: release a=mantic
Pin-Priority: 1
root@bb35a6461be2:/home/argocd# grep mantic /etc/apt/sources.list
deb http://ports.ubuntu.com/ubuntu-ports/ mantic multiverse universe
root@bb35a6461be2:/home/argocd# apt install --no-install-recommends -t mantic git-lfs
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
git-lfs
1 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Need to get 3500 kB of archives.
After this operation, 968 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports mantic/universe arm64 git-lfs arm64 3.4.0-1build1 [3500 kB]
Fetched 3500 kB in 3s (1093 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 13223 files and directories currently installed.)
Preparing to unpack .../git-lfs_3.4.0-1build1_arm64.deb ...
Unpacking git-lfs (3.4.0-1build1) over (3.0.2-1ubuntu0.2) ...
Setting up git-lfs (3.4.0-1build1) ...
root@bb35a6461be2:/home/argocd# git-lfs --version
git-lfs/3.4.0 (GitHub; linux arm64; go 1.21.0)
Is there any form of integration tests using the container/git-lfs?
May I suggest we upgrade our base image to ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30
which will include a newer version of git-lfs
(3.4.1) and other packages which will also lower the number or LOW/MEDIUM CVE's . This is Ubuntu's latest LTS release @crenshaw-dev WDYT?
May I suggest we upgrade our base image to
ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30
which will include a newer version ofgit-lfs
(3.4.1) and other packages which will also lower the number or LOW/MEDIUM CVE's . This is Ubuntu's latest LTS release @crenshaw-dev WDYT?
a release update seems more ideal than a backport, which feels risky.
I'd be happy to open a PR for a base image update.
Actually we just need to bump the Ubuntu image toubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac
and publish a new release to resolve these CVE's. v2.12.0-rc2
Uses a slightly older version but contains the fixes.
> docker run -it quay.io/argoproj/argocd:v2.12.0-rc2 git-lfs version
git-lfs/3.4.1 (GitHub; linux arm64; go 1.21.5)
I do think we should bump the Ubuntu image to ubuntu:24.04
for the master branch and the release-2.12
branch since its still an RC.
@34fathombelow @crenshaw-dev I see this now: https://github.com/argoproj/argo-cd/commit/414be63696a1c0e414488bc1fb33b6f66f19b026
Seems like this issue could be closed when 2.12 is released.
@maxres-ch If I am not mistaken the versions 2.9, 2.10 and 2.11 are still "supported", and this issue thus needs backporting to those versions.
@34fathombelow The 2.12 version of ArgoCD relies on Ubuntu 24.04, while releases 2.9-2.11 are built on 22.04. The latest hash of 22.04 does not contain newest git-lfs version as can be seen by running following command:
docker run --rm ubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac /bin/bash -c "apt update && apt install -y git-lfs && git-lfs version"
This will produce the output: git-lfs/3.0.2 (GitHub; linux amd64; go 1.18.1)
, thus we need to include the mantic repos
Our scanning tools are showing that
git-lfs
is built with a Go Version 1.18.1 has several vulnerabilities that might impact the binary. CVEs are as follows:Checklist:
argocd version
.Describe the bug
The
git-lfs
version in jammy was compiled with go 1.18.1 which contains the cve's listed above.Unfortunately it looks like ubuntu jammy, jammy-updates, and backports are still using the same version of git-lfs compiled with 1.18.1.
To Reproduce
Expected behavior
Screenshots
N/A
Version
Logs
Additional Comment
Solutions:
mantic
has git-lfs compiled with go 1.21. Doesn't look like they've backported a newer version to jammy.