Skip to content

Commit 60ea97e

Browse files
lucacomelucacome
authored
Bump NGINX to 1.23.1 (#3048)
1 parent 3e522bd commit 60ea97e

File tree

1 file changed

+7
-15
lines changed

1 file changed

+7
-15
lines changed

build/Dockerfile

Lines changed: 7 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,16 @@ ARG DEBIAN_VERSION=bullseye-slim
66

77

88
############################################# Base images containing libs for Opentracing #############################################
9-
FROM opentracing/nginx-opentracing:nginx-1.23.0 as opentracing-lib
10-
FROM opentracing/nginx-opentracing:nginx-1.23.0-alpine as alpine-opentracing-lib
9+
FROM opentracing/nginx-opentracing:nginx-1.23.1 as opentracing-lib
10+
FROM opentracing/nginx-opentracing:nginx-1.23.1-alpine as alpine-opentracing-lib
1111

1212

1313
############################################# Base image for Debian #############################################
14-
FROM nginx:1.23.0 AS debian
14+
FROM nginx:1.23.1 AS debian
1515

1616
RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
1717
apt-get update \
1818
&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
19-
# temp fix for CVE-2022-2068, CVE-2021-4209, CVE-2022-34903, CVE-2022-27404
20-
&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 gpgv libfreetype6 \
2119
&& rm -rf /var/lib/apt/lists/* \
2220
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
2321
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
@@ -27,12 +25,12 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
2725

2826
############################################# Base image for Alpine #############################################
2927
# docker.io/library/nginx is a temporary workaround for Dependabot to see this as different from the one used in Debian
30-
FROM docker.io/library/nginx:1.23.0-alpine AS alpine
28+
FROM nginx:1.23.1-alpine AS alpine
3129

3230
RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
3331
apk add --no-cache libcap libstdc++ \
34-
# temp fix for CVE-2022-27405, CVE-2022-1586, CVE-2022-32205, CVE-2022-2097, CVE-2022-32205, CVE-2022-2097
35-
&& apk upgrade --no-cache freetype pcre2 curl libcrypto1.1 libcurl libssl1.1 \
32+
# temp fix for CVE-2022-3209 and CVE-2022-35252
33+
&& apk upgrade --no-cache libxml2 curl libcurl \
3634
&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
3735
&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
3836
&& ldconfig /usr/local/lib/
@@ -45,9 +43,7 @@ ARG NGINX_PLUS_VERSION
4543
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
4644
--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
4745
--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
48-
# temp fix for CVE-2022-2097
49-
apk upgrade --no-cache libcrypto1.1 libssl1.1 \
50-
&& wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
46+
wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
5147
&& printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
5248
&& apk add --no-cache libcap nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcurl \
5349
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
@@ -66,8 +62,6 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
6662
--mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
6763
apt-get update \
6864
&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \
69-
# temp fix for CVE-2022-2068, CVE-2021-4209
70-
&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 \
7165
&& curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \
7266
&& curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
7367
&& DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \
@@ -129,8 +123,6 @@ LABEL name="NGINX Ingress Controller" \
129123
io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift"
130124

131125
RUN dnf --nodocs install -y shadow-utils ca-certificates \
132-
# temp fix for CVE-2022-1271, CVE-2022-22576, CVE-2022-25313, CVE-2022-22576, CVE-2021-40528, CVE-2021-3634, CVE-2022-29824, CVE-2021-4189, CVE-2021-4189, CVE-2022-29824, CVE-2022-1621
133-
&& dnf --nodocs upgrade -y xz-libs curl expat libcurl libgcrypt libssh libssh-config libxml2 platform-python python3-libs python3-libxml2 vim-minimal \
134126
&& groupadd --system --gid 101 nginx \
135127
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx
136128

0 commit comments

Comments
 (0)