A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.
\nThe ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.
\nThe security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.
\n", + Description: "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.
\nThe ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.
\nThe security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.
", Link: "https://nvd.nist.gov/vuln/detail/CVE-2020-1045", Metadata: map[string]interface{}{ "NVD": map[string]interface{}{ @@ -1402,7 +1402,7 @@ var testCases = []testCase{ }, { Name: "CVE-2020-1597", - Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.\n", + Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.", Link: "https://nvd.nist.gov/vuln/detail/CVE-2020-1597", Metadata: map[string]interface{}{ "NVD": map[string]interface{}{ diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 6e6439705..bffbfc43f 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -1,9 +1,9 @@ ARG RPMS_REGISTRY=registry.access.redhat.com -ARG RPMS_BASE_IMAGE=ubi8 +ARG RPMS_BASE_IMAGE=ubi9 ARG RPMS_BASE_TAG=latest ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8-minimal +ARG BASE_IMAGE=ubi9-minimal ARG BASE_TAG=latest FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle diff --git a/image/db/rhel/Dockerfile.slim b/image/db/rhel/Dockerfile.slim index 8352a1add..8e3bb7d34 100644 --- a/image/db/rhel/Dockerfile.slim +++ b/image/db/rhel/Dockerfile.slim @@ -1,9 +1,9 @@ ARG RPMS_REGISTRY=registry.access.redhat.com -ARG RPMS_BASE_IMAGE=ubi8 +ARG RPMS_BASE_IMAGE=ubi9 ARG RPMS_BASE_TAG=latest ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8-minimal +ARG BASE_IMAGE=ubi9-minimal ARG BASE_TAG=latest FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index 40716c39b..ad82c2f9d 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -1,4 +1,4 @@ -FROM registry.redhat.io/rhel8/postgresql-15:latest@sha256:447214e6f7aba69567fb47590cdcedde82f563b7b85b8e60d4f97451e8566586 AS scanner-db-common +FROM registry.redhat.io/rhel9/postgresql-15:latest@sha256:cba1417b7e8a5b55289aa951c48dc940c72ebea5380045f32cd8faba41937f9b AS scanner-db-common ARG SCANNER_TAG RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi @@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim LABEL \ com.redhat.component="rhacs-scanner-db-slim-container" \ io.k8s.display-name="scanner-db-slim" \ - name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8" + name="advanced-cluster-security/rhacs-scanner-db-slim-rhel9" ENV ROX_SLIM_MODE="true" @@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db LABEL \ com.redhat.component="rhacs-scanner-db-container" \ io.k8s.display-name="scanner-db" \ - name="advanced-cluster-security/rhacs-scanner-db-rhel8" + name="advanced-cluster-security/rhacs-scanner-db-rhel9" COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \ /docker-entrypoint-initdb.d/definitions.sql.gz diff --git a/image/db/rhel/scripts/download.sh b/image/db/rhel/scripts/download.sh index 065310e08..2ef15d90b 100755 --- a/image/db/rhel/scripts/download.sh +++ b/image/db/rhel/scripts/download.sh @@ -4,7 +4,7 @@ set -euo pipefail # If this is updated, be sure to update PG_MAJOR in the Dockerfile and the signature file. postgres_major=15 -pg_rhel_major=8 +pg_rhel_major=9 arch="$(uname -m)" dnf_list_args=() @@ -15,11 +15,10 @@ output_dir="/rpms" mkdir $output_dir if [[ "$arch" == "s390x" ]]; then - # TODO(ROX-30647): Builds are failing due to UBI9:latest not containing the - # necessary version of openssl-libs to build postgresql-contrib. - pg_build_version="0:16.8-1.module_el9+1209+bd6e4013.s390x" + # PostgreSQL.org does not publish packages for s390x, so we use the RHEL + # module repos instead (PostgreSQL 16, since 15 is not available as a module). dnf module enable -y postgresql:16 - dnf install -y --downloadonly --downloaddir=/tmp "postgresql-${pg_build_version}" "postgresql-private-libs-${pg_build_version}" "postgresql-server-${pg_build_version}" "postgresql-contrib-${pg_build_version}" + dnf install -y --downloadonly --downloaddir=/tmp postgresql postgresql-private-libs postgresql-server postgresql-contrib mv /tmp/postgresql-contrib-*.rpm "${output_dir}/postgres-contrib.rpm" mv /tmp/postgresql-server-*.rpm "${output_dir}/postgres-server.rpm" mv /tmp/postgresql-private-libs-*.rpm "${output_dir}/postgres-libs.rpm" diff --git a/image/scanner/rhel/Dockerfile b/image/scanner/rhel/Dockerfile index 2b3cb90f5..1ba00a553 100644 --- a/image/scanner/rhel/Dockerfile +++ b/image/scanner/rhel/Dockerfile @@ -1,5 +1,5 @@ ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8-minimal +ARG BASE_IMAGE=ubi9-minimal ARG BASE_TAG=latest FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle diff --git a/image/scanner/rhel/Dockerfile.slim b/image/scanner/rhel/Dockerfile.slim index ee992eb92..23960a08a 100644 --- a/image/scanner/rhel/Dockerfile.slim +++ b/image/scanner/rhel/Dockerfile.slim @@ -1,5 +1,5 @@ ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8-minimal +ARG BASE_IMAGE=ubi9-minimal ARG BASE_TAG=latest FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index d3bff1ba6..2a2c7a1ad 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -1,5 +1,5 @@ # Compiling scanner binaries and staging repo2cpe and genesis manifests -FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:aa03597ee8c7594ffecef5cbb6a0f059d362259d2a41225617b27ec912a3d0d3 AS builder +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder ARG SCANNER_TAG RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi @@ -28,7 +28,7 @@ COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesi # Common base for scanner slim and full -FROM registry.access.redhat.com/ubi8-minimal:latest@sha256:b880e16b888f47bc3fae64e67cd9776b24372f2e7ec2051f5a9386de6f5a75ac AS scanner-common +FROM registry.access.redhat.com/ubi9-minimal:latest@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS scanner-common ARG SCANNER_TAG @@ -59,7 +59,7 @@ COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifest COPY LICENSE /licenses/LICENSE -RUN microdnf install xz && \ +RUN microdnf install -y xz && \ microdnf clean all && \ # (Optional) Remove line below to keep package management utilities # We don't uninstall rpm because scanner uses it to get packages installed in scanned images. @@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim LABEL \ com.redhat.component="rhacs-scanner-slim-container" \ io.k8s.display-name="scanner-slim" \ - name="advanced-cluster-security/rhacs-scanner-slim-rhel8" + name="advanced-cluster-security/rhacs-scanner-slim-rhel9" ENV ROX_SLIM_MODE="true" @@ -96,7 +96,7 @@ FROM scanner-common AS scanner LABEL \ com.redhat.component="rhacs-scanner-container" \ io.k8s.display-name="scanner" \ - name="advanced-cluster-security/rhacs-scanner-rhel8" + name="advanced-cluster-security/rhacs-scanner-rhel9" ENV NVD_DEFINITIONS_DIR="/nvd_definitions" ENV K8S_DEFINITIONS_DIR="/k8s_definitions" diff --git a/image/scanner/scripts/import-additional-cas b/image/scanner/scripts/import-additional-cas index e89f28a71..72a2ce832 100755 --- a/image/scanner/scripts/import-additional-cas +++ b/image/scanner/scripts/import-additional-cas @@ -19,4 +19,6 @@ copy_existing /usr/local/share/ca-certificates # Copy the custom trusted CA bundles injected by the Openshift Network Operator. copy_existing /etc/pki/injected-ca-trust -update-ca-trust extract +# The -o flag is required for running as an unprivileged user in containers. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 +update-ca-trust extract -o /etc/pki/ca-trust/extracted diff --git a/image/scanner/scripts/restore-all-dir-contents b/image/scanner/scripts/restore-all-dir-contents index 360168578..b9e661a77 100755 --- a/image/scanner/scripts/restore-all-dir-contents +++ b/image/scanner/scripts/restore-all-dir-contents @@ -4,4 +4,4 @@ set -euo pipefail [ -d /.init-dirs ] || exit 0 -cp -rfP /.init-dirs/* / +cp --recursive --no-dereference --no-clobber /.init-dirs/* / diff --git a/image/scanner/scripts/trust-root-ca b/image/scanner/scripts/trust-root-ca index 78eb99cd1..3fd0b700f 100755 --- a/image/scanner/scripts/trust-root-ca +++ b/image/scanner/scripts/trust-root-ca @@ -6,4 +6,7 @@ CA_PATH="/run/secrets/stackrox.io/certs/ca.pem" # For RHEL cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem -update-ca-trust + +# The -o flag is required for running as an unprivileged user in containers. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 +update-ca-trust extract -o /etc/pki/ca-trust/extracted diff --git a/image/vulnerabilities/Dockerfile b/image/vulnerabilities/Dockerfile index 6a80b3529..2fd60c4bd 100644 --- a/image/vulnerabilities/Dockerfile +++ b/image/vulnerabilities/Dockerfile @@ -1,5 +1,5 @@ ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8-minimal +ARG BASE_IMAGE=ubi9-minimal ARG BASE_TAG=latest FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} diff --git a/rpms.lock.yaml b/rpms.lock.yaml index f210c9ecf..e343b7586 100644 --- a/rpms.lock.yaml +++ b/rpms.lock.yaml @@ -4,69 +4,69 @@ lockfileVendor: redhat arches: - arch: aarch64 packages: - - url: https://cdn.redhat.com/content/dist/rhel8/8/aarch64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.aarch64.rpm - repoid: rhel-8-for-aarch64-baseos-rpms - size: 156276 - checksum: sha256:342a2504cb34c9a5c1d43906f534cb1f3bf1de58ac517d575cff57053d04ab00 + - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/os/Packages/x/xz-5.2.5-8.el9_0.aarch64.rpm + repoid: rhel-9-for-aarch64-baseos-rpms + size: 235798 + checksum: sha256:26ac21be6c1e396c7bcbaa9d4786e3275e996d9d78c01f75bbbc6962e6c9bef7 name: xz - evr: 5.2.4-4.el8_6 - sourcerpm: xz-5.2.4-4.el8_6.src.rpm + evr: 5.2.5-8.el9_0 + sourcerpm: xz-5.2.5-8.el9_0.src.rpm source: - - url: https://cdn.redhat.com/content/dist/rhel8/8/aarch64/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm - repoid: rhel-8-for-aarch64-baseos-source-rpms - size: 1077113 - checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a + - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm + repoid: rhel-9-for-aarch64-baseos-source-rpms + size: 1168293 + checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46 name: xz - evr: 5.2.4-4.el8_6 + evr: 5.2.5-8.el9_0 module_metadata: [] - arch: ppc64le packages: - - url: https://cdn.redhat.com/content/dist/rhel8/8/ppc64le/baseos/os/Packages/x/xz-5.2.4-4.el8_6.ppc64le.rpm - repoid: rhel-8-for-ppc64le-baseos-rpms - size: 162264 - checksum: sha256:80d2fc754452ae52b3b36504e5cceb5cd5435a97999351402ae7a28298592a01 + - url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/baseos/os/Packages/x/xz-5.2.5-8.el9_0.ppc64le.rpm + repoid: rhel-9-for-ppc64le-baseos-rpms + size: 243215 + checksum: sha256:44cd014634f8a5cb83aff336500b0f2e3bec156a34e7da09e0ae6ef4b5e26467 name: xz - evr: 5.2.4-4.el8_6 - sourcerpm: xz-5.2.4-4.el8_6.src.rpm + evr: 5.2.5-8.el9_0 + sourcerpm: xz-5.2.5-8.el9_0.src.rpm source: - - url: https://cdn.redhat.com/content/dist/rhel8/8/ppc64le/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm - repoid: rhel-8-for-ppc64le-baseos-source-rpms - size: 1077113 - checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a + - url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm + repoid: rhel-9-for-ppc64le-baseos-source-rpms + size: 1168293 + checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46 name: xz - evr: 5.2.4-4.el8_6 + evr: 5.2.5-8.el9_0 module_metadata: [] - arch: s390x packages: - - url: https://cdn.redhat.com/content/dist/rhel8/8/s390x/baseos/os/Packages/x/xz-5.2.4-4.el8_6.s390x.rpm - repoid: rhel-8-for-s390x-baseos-rpms - size: 155012 - checksum: sha256:7fb678077d965dd6aeb09df28ce05cba9c22e4110d4b52f1ee43986beb87a5ff + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/os/Packages/x/xz-5.2.5-8.el9_0.s390x.rpm + repoid: rhel-9-for-s390x-baseos-rpms + size: 234632 + checksum: sha256:c06f44e6fb5a0a1fbf3c052d065b6336c3d17cedbc796260cf0c097b98326906 name: xz - evr: 5.2.4-4.el8_6 - sourcerpm: xz-5.2.4-4.el8_6.src.rpm + evr: 5.2.5-8.el9_0 + sourcerpm: xz-5.2.5-8.el9_0.src.rpm source: - - url: https://cdn.redhat.com/content/dist/rhel8/8/s390x/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm - repoid: rhel-8-for-s390x-baseos-source-rpms - size: 1077113 - checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm + repoid: rhel-9-for-s390x-baseos-source-rpms + size: 1168293 + checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46 name: xz - evr: 5.2.4-4.el8_6 + evr: 5.2.5-8.el9_0 module_metadata: [] - arch: x86_64 packages: - - url: https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.x86_64.rpm - repoid: rhel-8-for-x86_64-baseos-rpms - size: 156884 - checksum: sha256:fa4ceb20dbf23e9408a6446fefc4b709bc85e0bc563ca423569bbe08ecee2c5e + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/x/xz-5.2.5-8.el9_0.x86_64.rpm + repoid: rhel-9-for-x86_64-baseos-rpms + size: 235693 + checksum: sha256:f16d17c26a241400586ddc3d734ce863e3f19d433881ec640a47bedf0dafd07b name: xz - evr: 5.2.4-4.el8_6 - sourcerpm: xz-5.2.4-4.el8_6.src.rpm + evr: 5.2.5-8.el9_0 + sourcerpm: xz-5.2.5-8.el9_0.src.rpm source: - - url: https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm - repoid: rhel-8-for-x86_64-baseos-source-rpms - size: 1077113 - checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm + repoid: rhel-9-for-x86_64-baseos-source-rpms + size: 1168293 + checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46 name: xz - evr: 5.2.4-4.el8_6 + evr: 5.2.5-8.el9_0 module_metadata: [] diff --git a/rpms.rhel.repo b/rpms.rhel.repo index 62d56d521..43f110283 100644 --- a/rpms.rhel.repo +++ b/rpms.rhel.repo @@ -1,6 +1,6 @@ -[rhel-8-for-$basearch-baseos-rpms] -name = Red Hat Enterprise Linux 8 for $basearch - BaseOS (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/baseos/os +[rhel-9-for-$basearch-baseos-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/9/$basearch/baseos/os enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release @@ -12,9 +12,9 @@ sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 1 -[rhel-8-for-$basearch-baseos-source-rpms] -name = Red Hat Enterprise Linux 8 for $basearch - BaseOS (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/baseos/source/SRPMS +[rhel-9-for-$basearch-baseos-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/9/$basearch/baseos/source/SRPMS enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release @@ -25,3 +25,4 @@ sslclientcert = $SSL_CLIENT_CERT sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 +