Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Security vulnerability fixes and multi arch support#763

Open
sukalpomitra wants to merge 2 commits intosismics:master from
sukalpomitra:master
Open

Security vulnerability fixes and multi arch support #763
sukalpomitra wants to merge 2 commits intosismics:master from
sukalpomitra:master

Conversation

@sukalpomitra
Copy link
Contributor

@sukalpomitra sukalpomitra commented Jun 7, 2024

Hi @jendib this PR consists vulnerability fixes and multi arch support

Dockerfile Outdated
tesseract-ocr-sqi \
&& apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN apt-get update && apt-get upgrade libgnutls30 -y -q
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you merge this with the previous command?
Also, what is this package for?

Copy link
Contributor Author

@sukalpomitra sukalpomitra Jun 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @jendib libgnutls30 is a package in the GnuTLS library suite, specifically version 3. GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. The primary purpose of libgnutls30 is to provide support for cryptographic algorithms and protocols necessary to secure network communications.

I think this package is used by the OS internally in the version used as it popped in the security vulnerability.

libgnutls.csv

Copy link
Contributor Author

@sukalpomitra sukalpomitra Jun 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also merged the command to above line

Copy link
Contributor Author

HI @jendib this has been in this state for quite some time. Can you please do another review?

<com.google.guava.guava.version>31.1-jre</com.google.guava.guava.version>
<log4j.log4j.version>1.2.17</log4j.log4j.version>
<com.google.guava.guava.version>33.0.0-jre</com.google.guava.guava.version>
<log4j.log4j.version>2.22.1</log4j.log4j.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the log4j version is upgraded to the major version 2, and reload4j is a log4j 1 fork, so there is a problem.

<org.slf4j.jul-to-slf4j.version>1.7.30</org.slf4j.jul-to-slf4j.version>
<junit.junit.version>4.13.2</junit.junit.version>
<com.h2database.h2.version>1.4.199</com.h2database.h2.version>
<com.h2database.h2.version>2.2.224</com.h2database.h2.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to break all existing instances using h2 database.

Copy link
Contributor Author

@sukalpomitra sukalpomitra Sep 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jendib we have been working with this version of h2 in our forked teedy without any issues. However let me know and I can revert both this and the log4j version change. But there will still be vulnerabilities for these older versions


# Install packages
RUN apt-get update && \
RUN apt-get update && && apt-get upgrade libgnutls30 -y -q && \
Copy link

@WilliamFromTW WilliamFromTW Jan 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. double "&&"
  2. no log when docer logs -f teedy after merge changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jendib jendib Awaiting requested review from jendib

1 more reviewer

@WilliamFromTW WilliamFromTW WilliamFromTW left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /