Security vulnerability fixes and multi arch support#763
Security vulnerability fixes and multi arch support#763sukalpomitra wants to merge 2 commits intosismics:masterfrom
Conversation
Dockerfile
Outdated
| tesseract-ocr-sqi \ | ||
| && apt-get clean && \ | ||
| rm -rf /var/lib/apt/lists/* | ||
| RUN apt-get update && apt-get upgrade libgnutls30 -y -q |
There was a problem hiding this comment.
Could you merge this with the previous command?
Also, what is this package for?
There was a problem hiding this comment.
hi @jendib libgnutls30 is a package in the GnuTLS library suite, specifically version 3. GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. The primary purpose of libgnutls30 is to provide support for cryptographic algorithms and protocols necessary to secure network communications.
I think this package is used by the OS internally in the version used as it popped in the security vulnerability.
There was a problem hiding this comment.
also merged the command to above line
|
HI @jendib this has been in this state for quite some time. Can you please do another review? |
| <com.google.guava.guava.version>31.1-jre</com.google.guava.guava.version> | ||
| <log4j.log4j.version>1.2.17</log4j.log4j.version> | ||
| <com.google.guava.guava.version>33.0.0-jre</com.google.guava.guava.version> | ||
| <log4j.log4j.version>2.22.1</log4j.log4j.version> |
There was a problem hiding this comment.
Here the log4j version is upgraded to the major version 2, and reload4j is a log4j 1 fork, so there is a problem.
| <org.slf4j.jul-to-slf4j.version>1.7.30</org.slf4j.jul-to-slf4j.version> | ||
| <junit.junit.version>4.13.2</junit.junit.version> | ||
| <com.h2database.h2.version>1.4.199</com.h2database.h2.version> | ||
| <com.h2database.h2.version>2.2.224</com.h2database.h2.version> |
There was a problem hiding this comment.
This is going to break all existing instances using h2 database.
There was a problem hiding this comment.
Hi @jendib we have been working with this version of h2 in our forked teedy without any issues. However let me know and I can revert both this and the log4j version change. But there will still be vulnerabilities for these older versions
|
|
||
| # Install packages | ||
| RUN apt-get update && \ | ||
| RUN apt-get update && && apt-get upgrade libgnutls30 -y -q && \ |
There was a problem hiding this comment.
- double "&&"
- no log when docer logs -f teedy after merge changes
3 participants
Hi @jendib this PR consists vulnerability fixes and multi arch support