Skip to content

Commit 767bb5c

Browse files
josecelanojosecelano
committed
fix: [torrust#1628] upgrade to Debian 13 (Trixie) to resolve security vulnerabilities
- Update base images from Debian 12 (bookworm) to Debian 13 (trixie) - Update builder: rust:bookworm -> rust:trixie - Update tester: rust:slim-bookworm -> rust:slim-trixie - Update GCC: gcc:bookworm -> gcc:trixie - Update runtime: gcr.io/distroless/cc-debian12:debug -> gcr.io/distroless/cc-debian13:debug This resolves all 5 security vulnerabilities (1 CRITICAL, 4 HIGH): - CVE-2019-1010022 (CRITICAL): glibc stack guard protection bypass - CVE-2018-20796 (HIGH): glibc uncontrolled recursion - CVE-2019-1010023 (HIGH): glibc ldd malicious ELF code execution - CVE-2019-9192 (HIGH): glibc uncontrolled recursion - CVE-2023-0286 (HIGH): OpenSSL X.400 address type confusion Trivy scan results: - Before: Total 5 (CRITICAL: 1, HIGH: 4) - After: Total 0 (CRITICAL: 0, HIGH: 0) Container tested and verified working with health checks passing.
1 parent 842d371 commit 767bb5c

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

Containerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,13 @@
33
# Torrust Tracker
44

55
## Builder Image
6-
FROM docker.io/library/rust:bookworm AS chef
6+
FROM docker.io/library/rust:trixie AS chef
77
WORKDIR /tmp
88
RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
99
RUN cargo binstall --no-confirm cargo-chef cargo-nextest
1010

1111
## Tester Image
12-
FROM docker.io/library/rust:slim-bookworm AS tester
12+
FROM docker.io/library/rust:slim-trixie AS tester
1313
WORKDIR /tmp
1414

1515
RUN apt-get update; apt-get install -y curl sqlite3; apt-get autoclean
@@ -21,7 +21,7 @@ RUN mkdir -p /app/share/torrust/default/database/; \
2121
sqlite3 /app/share/torrust/default/database/tracker.sqlite3.db "VACUUM;"
2222

2323
## Su Exe Compile
24-
FROM docker.io/library/gcc:bookworm AS gcc
24+
FROM docker.io/library/gcc:trixie AS gcc
2525
COPY ./contrib/dev-tools/su-exec/ /usr/local/src/su-exec/
2626
RUN cc -Wall -Werror -g /usr/local/src/su-exec/su-exec.c -o /usr/local/bin/su-exec; chmod +x /usr/local/bin/su-exec
2727

@@ -91,7 +91,7 @@ RUN chown -R root:root /app; chmod -R u=rw,go=r,a+X /app; chmod -R a+x /app/bin
9191

9292

9393
## Runtime
94-
FROM gcr.io/distroless/cc-debian12:debug AS runtime
94+
FROM gcr.io/distroless/cc-debian13:debug AS runtime
9595
RUN ["/busybox/cp", "-sp", "/busybox/sh","/busybox/cat","/busybox/ls","/busybox/env", "/bin/"]
9696
COPY --from=gcc --chmod=0555 /usr/local/bin/su-exec /bin/su-exec
9797

0 commit comments

Comments
 (0)