[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625689#comment-17625689 ] Tim Allison commented on TIKA-3906: --- Awesome. Thank you for the feedback, and thank you [~grossws] for the review! > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625641#comment-17625641 ] Felix Sperling commented on TIKA-3906: -- [~tallison] Thank you so much. That was superfast :D Looks good: {code:java} $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 10f66f029aef apache/tika:2.5.0.1 "/bin/sh -c 'exec ja…" 6 seconds ago Up 5 seconds 9998/tcp serene_rosalind $ docker exec -ti 10f66f029aef /bin/bash root@10f66f029aef:/# dpkg -l | grep -E "perl|zlib" ii perl-base 5.34.0-3ubuntu1.1 amd64 minimal Perl system ii zlib1g:amd64 1:1.2.11.dfsg-2ubuntu9.2 amd64 compression library - runtime {code} > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625281#comment-17625281 ] Tim Allison commented on TIKA-3906: --- Thank you, [~grossws]! [~fsperling] this was my first time building and pushing to docker hub. Let me know if there are any surprises. I'll close this out for now, but please reopen if there are problems. Many thanks to the Apache Tika team for making the deployment so easy! > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625268#comment-17625268 ] ASF GitHub Bot commented on TIKA-3906: -- tballison merged PR #12: URL: https://github.com/apache/tika-docker/pull/12 > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625204#comment-17625204 ] Konstantin Gribov commented on TIKA-3906: - +1 on such versioning scheme, it should be transparent enough for the downstream users > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625132#comment-17625132 ] Tim Allison commented on TIKA-3906: --- Once I get a thumbs up on the PR, I'll update: https://cwiki.apache.org/confluence/display/TIKA/Release+Process+for+tika-docker > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625131#comment-17625131 ] Tim Allison commented on TIKA-3906: --- [~lewismc], do we have to do anything with helm if we're modifying the Docker version number strategy? > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625105#comment-17625105 ] Tim Allison commented on TIKA-3906: --- [~davemeikle] or [~grossws], any chance you can take a look at the PR? > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625100#comment-17625100 ] Tim Allison commented on TIKA-3906: --- Thank you, it felt like an absolute nightmare to keep the same version, just wanted confirmation. > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625099#comment-17625099 ] ASF GitHub Bot commented on TIKA-3906: -- tballison opened a new pull request, #12: URL: https://github.com/apache/tika-docker/pull/12 Allow docker image to have increment after Tika version. > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625042#comment-17625042 ] Felix Sperling commented on TIKA-3906: -- [~tallison] While overwriting 2.5.0 might be possible I don't think it is a good idea. It could lead to problems which would be difficult to debug (different behaviour of the seemingly same image). I would suggest something like 2.5.0.1. > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17625033#comment-17625033 ] Tim Allison commented on TIKA-3906: --- [~fsperling] and fellow devs, how do we handle versioning docker images? Do we just overwrite 2.5.0 or do we need something like a . like 2.5.0.1? > Build a new version of the Tika docker image to fix CVEs > > > Key: TIKA-3906 > URL: https://issues.apache.org/jira/browse/TIKA-3906 > Project: Tika > Issue Type: Bug > Components: docker >Affects Versions: 2.5.0 >Reporter: Felix Sperling >Priority: Major > > Please rebuild and release a new version of the 2.5.0 docker image. > The current one contains CVEs which have fixes already in the jammy repos. > h2. zlib > *_Note:_* _Versions mentioned in the description apply to the upstream > {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in > inflate in inflate.c via a large gzip header extra field. NOTE: only > applications that call inflateGetHeader are affected. Some common > applications bundle the affected zlib source code but may be unable to call > inflateGetHeader (e.g., see the nodejs/node reference). > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or > higher. > > h2. perl > *_Note:_* _Versions mentioned in the description apply to the upstream > {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant > versions._ > CPAN 2.28 allows Signature Verification Bypass. > h2. Remediation > Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher. -- This message was sent by Atlassian Jira (v8.20.10#820010)