Skip to content

fix: [NPM] [v1.6] Update Ubuntu Base Image to 24.04 #3740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

fix: [NPM] [v1.6] Update Ubuntu Base Image to 24.04 #3740

wants to merge 3 commits into from

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Jun 16, 2025
edited
Loading

Reason for Change:
Bumps the NPM Ubuntu base image version from 20.04 to 24.04 as 20.04 is EOL and no longer supported (https://ubuntu.com/blog/ubuntu-20-04-lts-end-of-life-standard-support-is-coming-to-an-end-heres-how-to-prepare).

Manually updates the Ubuntu packages libsystemd0 and libudev1 to 255.4-1ubuntu8.8 or else CVE-2025-4598 is present in the image (Will revert later when base image updates packages to resolve the vulnerability):

acnpublic.azurecr.io/azure-npm:v1.6.26Test (ubuntu 24.04)
=========================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────┐
│   Library   │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                        Title                         │
├─────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────┤
│ libsystemd0 │ CVE-2025-4598 │ MEDIUM   │ fixed  │ 255.4-1ubuntu8.6  │ 255.4-1ubuntu8.8 │ systemd-coredump: race condition that allows a local │
│             │               │          │        │                   │                  │ attacker to crash a SUID...                          │
│             │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-4598            │
├─────────────┤               │          │        │                   │                  │                                                      │
│ libudev1    │               │          │        │                   │                  │                                                      │
│             │               │          │        │                   │                  │                                                      │
│             │               │          │        │                   │                  │                                                      │
└─────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────┘

Trivy scan of NPM linux with changes to dockerfile (with manual package updates):

acnpublic.azurecr.io/azure-npm:v1.6.26Test2 (ubuntu 24.04)
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Tests Ran:

Issue Fixed:


mcr.microsoft.com/containernetworking/azure-npm:v1.5.48 (ubuntu 20.04)
======================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬───────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                           Title                           │
├──────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼───────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2025-4802 │ MEDIUM   │ fixed  │ 2.31-0ubuntu9.17  │ 2.31-0ubuntu9.18 │ glibc: static setuid binary dlopen may incorrectly search │
│          │               │          │        │                   │                  │ LD_LIBRARY_PATH                                           │
│          │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-4802                 │
├──────────┤               │          │        │                   │                  │                                                           │
│ libc6    │               │          │        │                   │                  │                                                           │
│          │               │          │        │                   │                  │                                                           │
│          │               │          │        │                   │                  │                                                           │
└──────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴───────────────────────────────────────────────────────────┘

usr/bin/azure-npm (gobinary)
============================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-22874 │ HIGH     │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ crypto/x509: Usage of ExtKeyUsageAny disables policy         │
│         │                │          │        │                   │                 │ validation in crypto/x509                                    │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22874                   │
│         ├────────────────┼──────────┤        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-0913  │ MEDIUM   │        │                   │                 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │                │          │        │                   │                 │ in os in syscall...                                          │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673  │          │        │                   │                 │ Proxy-Authorization and Proxy-Authenticate headers persisted │
│         │                │          │        │                   │                 │ on cross- ...                                                │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Requirements:

Notes:
Releasing from release/v1.6 branch instead of release/v1.5 due to Ubuntu base image update as well as v1.5 will be not be supported soon (due to k8s dependencies not matching with our offerings as it is tied to 1.27-1.29).

Copilot AI review requested due to automatic review settings June 16, 2025 21:49
@rayaisaiah rayaisaiah requested a review from a team as a code owner June 16, 2025 21:49
@rayaisaiah rayaisaiah requested a review from vakalapa June 16, 2025 21:49
Copilot AI reviewed Jun 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the NPM Ubuntu base image from 20.04 to 24.04 to address Ubuntu's end-of-life for 20.04.

  • Updates the Ubuntu image version in the Dockerfile to 24.04.
  • Ensures continued compatibility with Ubuntu's package management.
Comments suppressed due to low confidence (1)

npm/linux.Dockerfile:9

  • After updating to Ubuntu 24.04, please verify that all package management commands (apt-get update, install, autoremove, clean) are fully compatible with the new image, as package names or behaviors could differ in the newer release.
FROM mcr.microsoft.com/mirror/docker/library/ubuntu:24.04 as linux

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 16, 2025

/azp run Azure Container Networking PR

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 16, 2025

/azp run NPM Conformance Tests

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 16, 2025

/azp run NPM Scale Test

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

1 similar comment
@azure-pipelines
Copy link

azure-pipelines bot commented Jun 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah rayaisaiah added npm Related to NPM. linux labels Jun 16, 2025
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 16, 2025

/azp run Azure Container Networking PR

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah rayaisaiah changed the title fix: [NPM] Update Ubuntu Image to 24.04 fix: [NPM] Update Ubuntu Base Image to 24.04 Jun 17, 2025
@rayaisaiah rayaisaiah changed the title fix: [NPM] Update Ubuntu Base Image to 24.04 fix: [NPM] [v1.6] Update Ubuntu Base Image to 24.04 Jun 17, 2025
@rayaisaiah rayaisaiah closed this Jun 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vakalapa vakalapa Awaiting requested review from vakalapa vakalapa is a code owner automatically assigned from Azure/acn-npm-reviewers

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rayaisaiah