Matt,
Several potential solutions:
1) Regenerate the Docker image from sources:
git clone https://github.com/OSGeo/gdal
cd gdal
./docker/ubuntu-full/build.sh
2) Same as 1), but before edit ./docker/ubuntu-full/Dockerfile to remove
all traces of java/jdk from it
3) Use the existing image, remove the openjdk package, and "flatten" the
Docker layers with docker export / docker import (cf
https://forums.docker.com/t/how-to-flatten-an-image-with-127-parents/1600/2),
so that the layer where it was installed disappears
4) Wait a couple hours while I'm regenerating it to be updated to
17.0.12+7-1ubuntu2~24.04
Even
Le 09/09/2024 à 19:29, Matt Luck - NOAA Affiliate via gdal-dev a écrit :
Hi, our IT department has detected a security vulnerability in the
Java JDK version 17 that's installed in the ubuntu-full docker image
(see message below). I am able to remove the Java files from the
Docker image via the Dockerfile and I've tried changing the
`JAVA_VERSION` in the Dockerfile, but there always seems to be a
reference remaining in the Docker diff files that I can't seem to get
rid of.
To reproduce:
A `docker system prune -a -f`, then `sudo find
/var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds
nothing, but then `docker pull ghcr.io/osgeo/gdal:ubuntu-full-3.9.1`
followed by `sudo find /var/lib/docker/overlay2 -type d -name
java-17-openjdk-amd64` finds:
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/jvm/java-17-openjdk-amd64
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/debug/usr/lib/jvm/java-17-openjdk-amd64
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/share/gdb/auto-load/usr/lib/jvm/java-17-openjdk-amd64
Because they're diff files, those files exist whether or not they're
actually in the container and thus the vulnerability is always
triggered. Is there a solution and/or a way to either upgrade the Java
version or remove Java entirely if it's not needed so that we can deal
with this issue in the future?
On Mon, Jul 8, 2024 at 10:21 AM X wrote:
All,
Please see the vulns below and remediate as soon as possible.
These are in containers.
Path :
/var/lib/docker/overlay2/48c2e3da9fc2282822d4522e28ca46788f5357a14a8a38f687e2cadbf9de68d7/diff/usr/lib/jvm/java-17-openjdk-amd64/
Installed version : 17.0.8
Fixed version : Upgrade to a version greater than 17.0.10
Path :
/var/lib/docker/overlay2/4aed72b0f0433c615afe67854c8c79bb7acca2fb01216bf6be25774180266f4d/diff/usr/lib/jvm/java-17-openjdk-amd64/
Installed version : 17.0.8
Fixed version : Upgrade to a version greater than 17.0.10
_______________________________________________
gdal-dev mailing list
gdal-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/gdal-dev
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
gdal-dev mailing list
gdal-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/gdal-dev
