Fix library CVEs in SO

Fix additional CVEs:

Also refactored to use ubuntu apt repos instead of
manually installing from launchpad.

Issue-ID: SO-579

Change-Id: I58e29a7e0188452789741087bc9c4af82f102b09
Signed-off-by: chenying83 <chenying83@huawei.com>

diff --git a/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final b/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final
index 4b7bbaf..771949f 100644 (file)
--- a/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final
+++ b/packages/docker/src/main/docker/docker-files/Dockerfile.mso-chef-final
@@ -15,13 +15,67 @@ ENV https_proxy=$HTTPS_PROXY
 ENV CHEF_REPO_NAME="chef-repo"
 ENV CHEF_CONFIG_NAME="mso-config"
 
-### Downloading dependencies
+USER root
 
+### Downloading dependencies
+# Install specific system libraries to fix CVE vulnerabilities
+RUN echo "deb http://archive.ubuntu.com/ubuntu/ artful main restricted" >> /etc/apt/sources.list && \
+    echo "deb http://security.ubuntu.com/ubuntu/ artful-security main restricted" >> /etc/apt/sources.list && \
+    echo "deb http://archive.ubuntu.com/ubuntu/ bionic main restricted" >> /etc/apt/sources.list && \
+    apt-get -y update
+
+# krb5 1.16-2build1
+#   For CVE-2017-15088 CVE-2017-11462
+# libvorbis 1.3.5-4ubuntu0.2
+#   For CVE-2017-14632 CVE-2017-14160
+# libx11 2:1.6.4-3
+#    For CVE-2016-7943 CVE-2016-7942
+# libxtst 1.2.3-1
+#    For CVE-2016-7951
+# ncurses 6.1-1ubuntu1
+#    For CVE-2017-10685 CVE-2017-10684
+# libsqllite3-0 3.22.0-1
+#   For CVE-2017-10989
+# libtiff5 4.0.8-5ubuntu0.1
+#   For CVE-2017-9117 CVE-2016-9540 CVE-2016-9539 CVE-2016-9538 CVE-2016-9537 CVE-2016-9536 CVE-2016-9535 CVE-2016-9534 CVE-2016-9533 CVE-2015-8668 CVE-2015-7554 CVE-2016-6223 CVE-2017-5563 CVE-2016-3621 CVE-2016-8331
+# shadow 1:4.5-1ubuntu1
+#   For CVE-2017-12424
+# perl-base 5.26.0-8ubuntu1.1
+#   For CVE-2015-8608 CVE-2017-12883
+# openssl 1.1.0g-2ubuntu3
+#   For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177 CVE-2016-2176
+# zlib1g 1:1.2.11.dfsg-0ubuntu2
+#   For CVE-2016-9843 CVE-2016-9841 CVE-2016-9842 CVE-2016-9840
+# libexpat1 2.2.5-3
+#   For CVE-2016-0718 CVE-2016-4472
+# libc-bin libc6 2.26-0ubuntu2.1
+#   For CVE-2018-6485
+# openssl 1.1.0g-2ubuntu3
+#   For CVE-2016-6303 CVE-2016-2182 CVE-2016-2177
+# libpcre3 2:8.39-5ubuntu3
+#   For CVE-2016-3191 CVE-2016-1283
 USER root
-RUN apt-get install -y netcat curl && curl -LO  https://packages.chef.io/stable/ubuntu/12.04/chefdk_0.17.17-1_amd64.deb && curl -LO http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/1.5.4/mariadb-java-client-1.5.4.jar && apt-get remove --purge -y curl && apt-get autoremove -y
+RUN apt-get -y install \
+    libkrb5-3=1.16-2build1 krb5-locales=1.16-2build1 \
+    libvorbis0a=1.3.5-4ubuntu0.2 \
+    libx11-6=2:1.6.4-3 libx11-data=2:1.6.4-3 libx11-doc=2:1.6.4-3 libx11-xcb1=2:1.6.4-3 \
+    libxtst6=2:1.2.3-1 \
+    ncurses-base=6.1-1ubuntu1 ncurses-bin=6.1-1ubuntu1 libncurses5=6.1-1ubuntu1 libncursesw5=6.1-1ubuntu1 \
+    libsqlite3-0=3.22.0-1 \
+    libtiff5=4.0.8-5ubuntu0.1 \
+    passwd=1:4.5-1ubuntu1 \
+    perl-base=5.26.0-8ubuntu1.1 \
+    zlib1g=1:1.2.11.dfsg-0ubuntu2 \
+    libexpat1=2.2.5-3 \
+    libc-bin=2.26-0ubuntu2.1 libc6=2.26-0ubuntu2.1 \
+    openssl=1.1.0g-2ubuntu3 \
+    libpcre3=2:8.39-5ubuntu3
+
+RUN apt-get install -y netcat curl && curl -LO  https://packages.chef.io/files/stable/chefdk/2.5.3/ubuntu/16.04/chefdk_2.5.3-1_amd64.deb && curl -LO http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/1.5.4/mariadb-java-client-1.5.4.jar && apt-get remove --purge -y curl && apt-get autoremove -y
 
 ### Install Chef
-RUN dpkg -i chefdk_0.17.17-1_amd64.deb 
+#RUN dpkg -i chefdk_0.17.17-1_amd64.deb
+RUN dpkg -i chefdk_2.5.3-1_amd64.deb
 
 COPY scripts/start-jboss-server.sh /opt/mso/scripts/start-jboss-server.sh
 
@@ -97,4 +151,3 @@ VOLUME /shared
 ### Start EAP
 USER root
 CMD ["/opt/mso/scripts/start-jboss-server.sh"]
-