Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability fixes and multi arch support #763

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Security vulnerability fixes and multi arch support #763

wants to merge 2 commits into from

Conversation

sukalpomitra
Copy link
Contributor

Hi @jendib this PR consists vulnerability fixes and multi arch support

@sukalpomitra sukalpomitra mentioned this pull request Jun 7, 2024
Open
jendib
jendib requested changes Jun 7, 2024
View reviewed changes
Dockerfile Outdated
@@ -48,6 +48,7 @@ RUN apt-get update && \
tesseract-ocr-sqi \
&& apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN apt-get update && apt-get upgrade libgnutls30 -y -q
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you merge this with the previous command?
Also, what is this package for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @jendib libgnutls30 is a package in the GnuTLS library suite, specifically version 3. GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. The primary purpose of libgnutls30 is to provide support for cryptographic algorithms and protocols necessary to secure network communications.

I think this package is used by the OS internally in the version used as it popped in the security vulnerability.

libgnutls.csv

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also merged the command to above line

docs-core/pom.xml Show resolved Hide resolved
pom.xml Show resolved Hide resolved
pom.xml Show resolved Hide resolved
pom.xml Show resolved Hide resolved
@sukalpomitra sukalpomitra requested a review from jendib August 7, 2024 14:12
@sukalpomitra
Copy link
Contributor Author

HI @jendib this has been in this state for quite some time. Can you please do another review?

jendib
jendib reviewed Sep 7, 2024
View reviewed changes
pom.xml
<com.google.guava.guava.version>31.1-jre</com.google.guava.guava.version>
<log4j.log4j.version>1.2.17</log4j.log4j.version>
<com.google.guava.guava.version>33.0.0-jre</com.google.guava.guava.version>
<log4j.log4j.version>2.22.1</log4j.log4j.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the log4j version is upgraded to the major version 2, and reload4j is a log4j 1 fork, so there is a problem.

pom.xml
<org.slf4j.jcl-over-slf4j.version>1.7.30</org.slf4j.jcl-over-slf4j.version>
<org.slf4j.jul-to-slf4j.version>1.7.30</org.slf4j.jul-to-slf4j.version>
<junit.junit.version>4.13.2</junit.junit.version>
<com.h2database.h2.version>1.4.199</com.h2database.h2.version>
<com.h2database.h2.version>2.2.224</com.h2database.h2.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to break all existing instances using h2 database.

Copy link
Contributor Author

@sukalpomitra sukalpomitra Sep 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jendib we have been working with this version of h2 in our forked teedy without any issues. However let me know and I can revert both this and the log4j version change. But there will still be vulnerabilities for these older versions

@sukalpomitra sukalpomitra requested a review from jendib December 4, 2024 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jendib jendib Awaiting requested review from jendib

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sukalpomitra @jendib