Update `ubi8-minimal` image to version `8.8-860`
What does this MR do?
This MR updates the version of the ubi8-minimal
image to 8.8-860
(the latest version as of June 22, 2023).
This MR ALSO bumps the version of git
installed in used in ubi-fips-base
to 2.41.0
(the latest as of June 28, 2023) which addresses CVE-2023-22490
and CVE-2023-23946
.
Why was this MR needed?
CVE-2023-27535
describes a vulnerability in libcurl
version <= 8.0.0
. https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31044 further
points out that a number of our images include curl/libcurl version < 8.0.0
, and are therefore vulnerable to to the exploit mention in CVE-2023-27535
:
registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:ubi-fips-x86_64-v15.11.0
registry.gitlab.com/gitlab-org/gitlab-runner:ubi-fips-v15.11.0
-
registry.gitlab.com/gitlab-org/gitlab-runner/go-fips:1.19
All three of these images are based on: -
registry.gitlab.com/gitlab-org/gitlab-runner/ubi-fips-base:$UBI_FIPS_VERSION
which is in turn based on: redhat/ubi8-minimal:UBI_FIPS_VERSION
Our current UBI_FIPS_VERSION
is 8.7-1107
.
According to https://access.redhat.com/errata/RHSA-2023:3106 the fix for this vulnerability is available in RHEL8 as curl/libcurl
version 7.61.1-30
, which is available in the latest ubi8-minimal
image 8.8-860
.
So, upgrading the ubi8-minimal
image version will pull in a version of curl/libcurl
with the fix to the above vulnerability, and thus fix https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31044+
What's the best way to test this MR?
To confirm the correct curl/libcurl
version is included in redhat/ubi8-minimal:8.8-860
:
> docker run -it --rm redhat/ubi8-minimal:8.8-860 bash
> rpm -qa curl
curl-7.61.1-30.el8_8.2.x86_64
One can also trigger a container scan on any of the gitlab-runner-helper:ubi-fips-x86_64-v15.11.0
gitlab-runner:ubi-fips-v15.11.0
go-fips:1.19
images built from this MR, and observe that CVE-2023-27535
is not reported against the image.
The CI job log that builds the ubi base image will also show the installed version of curl/libcurl
(e.g.https://gitlab.com/gitlab-org/gitlab-runner/-/jobs/4542888907)