diff --git a/admin/Dockerfile b/admin/Dockerfile index 096f0fae17..6679fed5bf 100644 --- a/admin/Dockerfile +++ b/admin/Dockerfile @@ -1,5 +1,5 @@ -# debian:stretch Thu Jan 25 08:58:24 CET 2018 -FROM debian@sha256:0a5fcee6f52d5170f557ee2447d7a10a5bdcf715dd7f0250be0b678c556a501b +# debian:stretch 2019-01-22 +FROM debian@sha256:21ac5961a3038a839f6fa92ec4583c90f9eb6ca8f580598cde19d35d0f4d8fa6 ARG USER_NAME ENV USER_NAME ${USER_NAME:-root} ARG USER_ID diff --git a/install_files/ansible-base/roles/install-fpf-repo/tasks/main.yml b/install_files/ansible-base/roles/install-fpf-repo/tasks/main.yml index cc59d495fc..1a41510fc9 100644 --- a/install_files/ansible-base/roles/install-fpf-repo/tasks/main.yml +++ b/install_files/ansible-base/roles/install-fpf-repo/tasks/main.yml @@ -1,4 +1,6 @@ --- +- include: upgrade_apt.yml + - name: Install SecureDrop apt repo GPG signing key. apt_key: state: present diff --git a/install_files/ansible-base/roles/install-fpf-repo/tasks/upgrade_apt.yml b/install_files/ansible-base/roles/install-fpf-repo/tasks/upgrade_apt.yml new file mode 100644 index 0000000000..6179a9d3bc --- /dev/null +++ b/install_files/ansible-base/roles/install-fpf-repo/tasks/upgrade_apt.yml @@ -0,0 +1,43 @@ +--- +# Fix for CVE-2019-3462 (see https://justi.cz/security/2019/01/22/apt-rce.html) +# If apt < 1.4.9, it is vulnerable to CVE-2019-3462 and we must ensure no +# redirects are followed when updating apt via apt. +- name: Upgrade apt without following redirects + shell : > + apt -o Acquire::http::AllowRedirect=false update && + apt -o Acquire::http::AllowRedirect=false --only-upgrade -y install apt + become: yes + register: _apt_upgrade_command_output_results + changed_when: "'1 upgraded, 0 newly installed, 0 to remove' in _apt_upgrade_command_output_results.stdout" + tags: apt + +- name: Inform user that apt traffic is being redirected + assert: + that: + - "'302 Found' not in _apt_upgrade_command_output_results.stdout" + - "'302 Found' not in _apt_upgrade_command_output_results.stderr" + fail_msg: >- + It appears your apt traffic is being redirected. + SecureDrop cannot be installed. For details, see + https://github.com/freedomofpress/securedrop/issues/4058 + +- name: Get apt version + shell: dpkg-query --showformat='${Version}' --show apt + register: _apt_query_command_output_result + changed_when: false + tags: + - apt + +- name: Verify that the version of apt installed is not vulnerable to 2019-3462 (Xenial) + assert: + that: _apt_query_command_output_result.stdout is version('1.2.29ubuntu0.1', '>=') + when: ansible_distribution_release == 'xenial' + tags: + - apt + +- name: Verify that the version of apt installed is not vulnerable to 2019-3462 (Trusty) + assert: + that: _apt_query_command_output_result.stdout is version('1.0.1ubuntu2.19', '>=') + when: ansible_distribution_release == 'trusty' + tags: + - apt diff --git a/molecule/builder/Dockerfile b/molecule/builder/Dockerfile index e19f51dc25..865cf3947a 100644 --- a/molecule/builder/Dockerfile +++ b/molecule/builder/Dockerfile @@ -1,5 +1,5 @@ -# ubuntu:trusty-20180531 -FROM ubuntu@sha256:885bb6705b01d99544ddb98cbe4e4555d1efe1d052cef90832e72a0688ac6b37 +# ubuntu:trusty-20190122 +FROM ubuntu@sha256:cac55e5d97fad634d954d00a5c2a56d80576a08dcc01036011f26b88263f1578 # additional meta-data makes it easier to clean up, find LABEL org="Freedom of the Press" diff --git a/molecule/builder/image_hash b/molecule/builder/image_hash index 23b21a9c70..c2388b578f 100644 --- a/molecule/builder/image_hash +++ b/molecule/builder/image_hash @@ -1,2 +1,2 @@ -# sha256 digest quay.io/freedomofpress/sd-docker-builder:2018_12_11 -5b9b9e66db6d4fda0d82062b6ca715e04d8e2ef2c0065c41a6b7bb8c6062a07d +# sha256 digest quay.io/freedomofpress/sd-docker-builder:2019_01_23 +39033e3a452fd18c0e58abe8e693180ff2cb18fdf4083b293c069bbca64b8ac8 diff --git a/securedrop/dockerfiles/trusty/Dockerfile b/securedrop/dockerfiles/trusty/Dockerfile index 5362cf3d0c..5997de26eb 100644 --- a/securedrop/dockerfiles/trusty/Dockerfile +++ b/securedrop/dockerfiles/trusty/Dockerfile @@ -1,5 +1,5 @@ -# ubuntu:14.04 as of 2018-06-19 -FROM ubuntu@sha256:885bb6705b01d99544ddb98cbe4e4555d1efe1d052cef90832e72a0688ac6b37 +# ubuntu:14.04 as of 2019-01-22 +FROM ubuntu@sha256:cac55e5d97fad634d954d00a5c2a56d80576a08dcc01036011f26b88263f1578 ARG USER_NAME ENV USER_NAME ${USER_NAME:-root} ARG USER_ID diff --git a/securedrop/dockerfiles/xenial/Dockerfile b/securedrop/dockerfiles/xenial/Dockerfile index 21f0b73854..285d462801 100644 --- a/securedrop/dockerfiles/xenial/Dockerfile +++ b/securedrop/dockerfiles/xenial/Dockerfile @@ -1,5 +1,5 @@ -# ubuntu 16.04 image - 01-2019 -FROM ubuntu@sha256:b967b9f2a5625231a22db642609e61b7b1a5481128f51fe771e91bb92e0a35d0 +# ubuntu 16.04 image - 2019-01-22 +FROM ubuntu@sha256:e4a134999bea4abb4a27bc437e6118fdddfb172e1b9d683129b74d254af51675 ARG USER_NAME ENV USER_NAME ${USER_NAME:-root} ARG USER_ID