Skip to content

Update `ubi8-minimal` image to version `8.8-860`

Axel von Bertoldi requested to merge avonbertoldi/31044/libcurl-vulnerability into main

What does this MR do?

This MR updates the version of the ubi8-minimal image to 8.8-860 (the latest version as of June 22, 2023).

This MR ALSO bumps the version of git installed in used in ubi-fips-base to 2.41.0 (the latest as of June 28, 2023) which addresses CVE-2023-22490 and CVE-2023-23946.

Why was this MR needed?

CVE-2023-27535 describes a vulnerability in libcurl version <= 8.0.0. https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31044 further points out that a number of our images include curl/libcurl version < 8.0.0, and are therefore vulnerable to to the exploit mention in CVE-2023-27535:

  • registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:ubi-fips-x86_64-v15.11.0
  • registry.gitlab.com/gitlab-org/gitlab-runner:ubi-fips-v15.11.0
  • registry.gitlab.com/gitlab-org/gitlab-runner/go-fips:1.19 All three of these images are based on:
  • registry.gitlab.com/gitlab-org/gitlab-runner/ubi-fips-base:$UBI_FIPS_VERSION which is in turn based on:
  • redhat/ubi8-minimal:UBI_FIPS_VERSION

Our current UBI_FIPS_VERSION is 8.7-1107.

According to https://access.redhat.com/errata/RHSA-2023:3106 the fix for this vulnerability is available in RHEL8 as curl/libcurl version 7.61.1-30, which is available in the latest ubi8-minimal image 8.8-860.

So, upgrading the ubi8-minimal image version will pull in a version of curl/libcurl with the fix to the above vulnerability, and thus fix https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31044+

What's the best way to test this MR?

To confirm the correct curl/libcurl version is included in redhat/ubi8-minimal:8.8-860:

> docker run -it --rm redhat/ubi8-minimal:8.8-860 bash
> rpm -qa curl
curl-7.61.1-30.el8_8.2.x86_64

One can also trigger a container scan on any of the gitlab-runner-helper:ubi-fips-x86_64-v15.11.0 gitlab-runner:ubi-fips-v15.11.0 go-fips:1.19 images built from this MR, and observe that CVE-2023-27535 is not reported against the image.

The CI job log that builds the ubi base image will also show the installed version of curl/libcurl (e.g.https://gitlab.com/gitlab-org/gitlab-runner/-/jobs/4542888907)

What are the relevant issue numbers?

Edited by Darren Eastman

Merge request reports