Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/SK-1318 | Fixed critical security vulnerability #847 (zlib) #787

Merged
merged 16 commits into from
Jan 22, 2025
Merged

Fix/SK-1318 | Fixed critical security vulnerability #847 (zlib) #787

merged 16 commits into from
Jan 22, 2025
+28 −3

Conversation

benjaminastrand
Copy link
Contributor

@benjaminastrand benjaminastrand commented Jan 22, 2025
edited
Loading

This PR fixes the critical security vulnerability CVE-2023-45853. Code scanning alert on GitHub here.

The vulnerability arises because Debian Bookworm uses an old version (1:1.2.13.dfsg-1) of the C library zlib (used for handling zip files). This version of zlib has a vulnerability which is fixed in version 1:1.3.dfsg+really1.3.1-1+b1 (Debian Security Tracker).

Solution:

  • Temporarily add the Debian Testing (Trixie) repo in the builder and runtime stages, which includes the fixed version of zlib
  • Install the fixed version of zlib
  • Remove the Debian Testing repo

Note
Trivy doesn't pick up on this solution. It sees that Debian Bookworm is used, and assumes that the vulnerable version (1:1.2.13.dfsg-1) of zlib is installed. Therefor this vulnerability ID has been added to .trivyignore, since we know that it has been fixed. See this discussion on Trivy's GitHub about solving this problem.

@benjaminastrand
Install zlib version 1.3.1
695a575
@benjaminastrand
Run trivy scan when pushing to this branch (for testing)
Loading
Loading status checks…
d7dfd28
@benjaminastrand
Upload trivy scan results when pushing to this branch
Loading
Loading status checks…
71ea5d5
@benjaminastrand
Check zlib version
Loading
Loading status checks…
2d8344c
@benjaminastrand
Clear trivy cache
Loading
Loading status checks…
4d35364
@benjaminastrand
Fix clear cache command
Loading
Loading status checks…
97f5a2d
@benjaminastrand
Run Trivy scan on image built from this branch
3ed7b95
@benjaminastrand
Remove code to clear cache
Loading
Loading status checks…
8eb0263
@benjaminastrand
Added CVE-2023-45853 to trivyignore
Loading
Loading status checks…
e4a3f06
@benjaminastrand
Run trivy scan on master
Loading
Loading status checks…
77eb59c
@benjaminastrand
Upgrade packages in runtime stage
fc3e5ba
@benjaminastrand
Remove warning about case mismatch
b4a9dc6
@benjaminastrand
Final check zlib version on GitHub
Loading
Loading status checks…
9ccda9f
@benjaminastrand
Remove print of zlib version
1c5413d
@benjaminastrand
Restore settings for when Trivy scan is run
Loading
Loading status checks…
d902e0b
@benjaminastrand
Added link to PR
Loading
Loading status checks…
fef04e5
@github-actions github-actions bot added the minor label Jan 22, 2025
@benjaminastrand benjaminastrand merged commit 68d946c into master Jan 22, 2025
18 checks passed
@benjaminastrand benjaminastrand deleted the fix/SK-1318 branch January 22, 2025 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@niklastheman niklastheman

@Wrede Wrede

@stefanhellander stefanhellander

Assignees
No one assigned
Labels
fix github minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@benjaminastrand @niklastheman