Address vulnerability reports against runner-helper alpine images
Address vulnerability reports against applications only in runner-helper
alpine
images. Vulnerability reports against runner-helper
go modules will be addressed elsewhere.
See the issue for a full list of the vulnerabilities reported, but is summary they are against the following applications:
- busybox
- git
- libssl
- lubcurl
- git-lfs
This included a number of critical
and high
reports.
This MR addressed the vulnerabilities by installing the latest (or at least very new) versions of the relevant applications/libraries, using two approaches.
- for all of the above applications/libs excluding
git-lfs
, we use an alternate package repository as suggested here. This repo includes newer versions ofgit
,libcurl
,libssl
,busybox
, and their dependencies. - for
git-lfs
, we install version3.3.0
(the latest as of today) from the official pre-compiled binary distribution.
closes #29642 (closed)
Edited by Romuald Atchadé