Fix library CVEs in sdc-workflow-designer

Address additional CVEs in systme libraries.

Remove explicit version numbers because those versions
could get removed from the ubuntu repos, which will
cause build failures.  Instead, upgrade to the latest
available versions.

Change-Id: I02c28bfa64f12ca55ec6e731cf1056b4aa934765
Issue-ID: SDC-1201
Signed-off-by: Gary Wu <gary.i.wu@huawei.com>

diff --git a/distribution/src/main/docker/Dockerfile b/distribution/src/main/docker/Dockerfile
index ebae7b1..bd28c61 100644 (file)
--- a/distribution/src/main/docker/Dockerfile
+++ b/distribution/src/main/docker/Dockerfile
@@ -12,15 +12,14 @@ RUN apt-get install -y openjdk-8-jdk
 RUN apt-get -y upgrade
 
 
-# Install specific system libraries to fix CVE vulnerabilities
-RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/apt/sources.list && \
-    echo "deb http://security.ubuntu.com/ubuntu/ artful-security main restricted" >> /etc/apt/sources.list && \
-    echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \
+# Upgrade specific system libraries to fix CVE vulnerabilities
+RUN echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \
+    echo "deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted" >> /etc/apt/sources.list && \
     apt-get -y update
 
 # krb5 1.16-2build1
 #   For CVE-2017-15088 CVE-2017-11462
-# libvorbis 1.3.5-4ubuntu0.2
+# libvorbis 1.3.5-4.2
 #   For CVE-2017-14632 CVE-2017-14160
 # libx11 2:1.6.4-3
 #    For CVE-2016-7943 CVE-2016-7942
@@ -30,30 +29,55 @@ RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/
 #    For CVE-2017-10685 CVE-2017-10684
 # libsqllite3-0 3.22.0-1
 #   For CVE-2017-10989
-# libtiff5 4.0.8-5ubuntu0.1
+# libtiff5 4.0.9-5
 #   For CVE-2017-9117 CVE-2016-9540 CVE-2016-9539 CVE-2016-9538 CVE-2016-9537 CVE-2016-9536 CVE-2016-9535 CVE-2016-9534 CVE-2016-9533 CVE-2015-8668 CVE-2015-7554 CVE-2016-6223 CVE-2017-5563 CVE-2016-3621 CVE-2016-8331
 # shadow 1:4.5-1ubuntu1
 #   For CVE-2017-12424
-# perl-base 5.26.0-8ubuntu1.1
+# perl-base 5.26.1-6
 #   For CVE-2015-8608 CVE-2017-12883
-# openssl 1.1.0g-2ubuntu3
+# openssl 1.1.0g-2ubuntu4
 #   For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 CVE-2016-2176
 # zlib1g 1:1.2.11.dfsg-0ubuntu2
 #   For CVE-2016-9843 CVE-2016-9841 CVE-2016-9842 CVE-2016-9840
+# libdb5.3
+#   CVE-2016-3418 CVE-2016-0694 CVE-2016-0692 CVE-2016-0689 CVE-2016-0682
+# libcairo2
+#   CVE-2017-9814
+# libc-bin libc6 multiarch-support
+#   CVE-2018-6485
+# libgtk2.0-0 libgtk2.0-bin libgtk2.0-common
+#   CVE-2014-1949
+# libgcrypt20
+#   CVE-2017-0379
+# libxi6
+#   CVE-2016-7946 CVE-2016-7945
+# libxml2
+#   CVE-2016-9318
+# libpcre3
+#   CVE-2017-6004
 
-RUN apt-get -y install \
-    libkrb5-3=1.16-2build1 krb5-locales=1.16-2build1 \
-    libvorbis0a=1.3.5-4ubuntu0.2 \
-    libx11-6=2:1.6.4-3 libx11-data=2:1.6.4-3 libx11-doc=2:1.6.4-3 libx11-xcb1=2:1.6.4-3 \
-    libxtst6=2:1.2.3-1 \
-    ncurses-base=6.1-1ubuntu1 ncurses-bin=6.1-1ubuntu1 libncurses5=6.1-1ubuntu1 libncursesw5=6.1-1ubuntu1 \
-    libsqlite3-0=3.22.0-1 \
-    libtiff5=4.0.8-5ubuntu0.1 \
-    passwd=1:4.5-1ubuntu1 \
-    perl-base=5.26.0-8ubuntu1.1 \
-    openssl=1.1.0g-2ubuntu3 \
-    zlib1g=1:1.2.11.dfsg-0ubuntu2
-
+RUN apt-get -y --only-upgrade install \
+    libkrb5-3 krb5-locales \
+    libvorbis0a \
+    libx11-6 libx11-data libx11-doc libx11-xcb1 \
+    libxtst6 \
+    ncurses-base ncurses-bin libncurses5 libncursesw5 \
+    libsqlite3-0 \
+    libtiff5 \
+    passwd \
+    perl-base \
+    libssl1.0.0 \
+    openssl \
+    zlib1g \
+    libdb5.3 \
+    libcairo2 \
+    libc-bin libc6 multiarch-support \
+    libgtk2.0-0 libgtk2.0-bin libgtk2.0-common \
+    libgcrypt20 \
+    libxi6 \
+    libxml2 \
+    libpcre3 && \
+    apt-get -y autoremove
 
 #configure the JDK
 RUN sed -i 's|#networkaddress.cache.ttl=-1|networkaddress.cache.ttl=10|' /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security