for idaholab#299, fix a vim and libx11 vulnerability in a few package…

…s (by removing those dependencies which we don't really need)
mmguero-dev · Nov 21, 2023 · 103da34 · 103da34
1 parent 95b3c2a
commit 103da34
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 9 deletions.
diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
@@ -47,6 +47,7 @@ ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSF
 
 RUN yum upgrade -y && \
     yum install -y curl psmisc util-linux openssl rsync python3 zip unzip && \
+    yum remove -y vim-* && \
     usermod -a -G tty ${PUSER} && \
     # Malcolm manages authentication and encryption via NGINX reverse proxy
     /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \

diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile
@@ -117,16 +117,13 @@ RUN set -x ; \
     --with-http_addition_module \
     --with-http_sub_module \
     --with-http_dav_module \
-    --with-http_flv_module \
-    --with-http_mp4_module \
     --with-http_gunzip_module \
     --with-http_gzip_static_module \
     --with-http_random_index_module \
     --with-http_secure_link_module \
     --with-http_stub_status_module \
     --with-http_auth_request_module \
     --with-http_xslt_module=dynamic \
-    --with-http_image_filter_module=dynamic \
     --with-http_geoip_module=dynamic \
     --with-http_perl_module=dynamic \
     --with-threads \
@@ -154,7 +151,6 @@ RUN set -x ; \
   chown ${PUSER}:${PGROUP} /var/cache/nginx ; \
   apk add --no-cache --virtual .nginx-build-deps \
     gcc \
-    gd-dev \
     geoip-dev \
     gnupg \
     libc-dev \
@@ -178,7 +174,6 @@ RUN set -x ; \
   make -j$(getconf _NPROCESSORS_ONLN) ; \
   mv objs/nginx objs/nginx-debug ; \
   mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so ; \
-  mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so ; \
   mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so ; \
   mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so ; \
   mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so ; \
@@ -191,7 +186,6 @@ RUN set -x ; \
   install -m644 html/50x.html /usr/share/nginx/html/ ; \
   install -m755 objs/nginx-debug /usr/sbin/nginx-debug ; \
   install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so ; \
-  install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so ; \
   install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so ; \
   install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so ; \
   install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so ; \
@@ -214,7 +208,7 @@ RUN set -x ; \
       | xargs -r apk info --installed \
       | sort -u \
   )" ; \
-  apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap stunnel supervisor tini tzdata; \
+  apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap shadow stunnel supervisor tini tzdata; \
   update-ca-certificates; \
   apk del .nginx-build-deps ; \
   apk del .gettext ; \

diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
@@ -42,8 +42,9 @@ ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/
 
 # Remove the opensearch-security plugin - Malcolm manages authentication and encryption via NGINX reverse proxy
 # Remove the performance-analyzer plugin - Reduce resources in docker image
-RUN yum install -y openssl util-linux procps rsync && \
-  yum upgrade -y && \
+RUN yum upgrade -y && \
+  yum install -y openssl util-linux procps rsync && \
+  yum remove -y vim-* && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-security --purge && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-performance-analyzer --purge && \
   echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0\nbootstrap.memory_lock: true\nhttp.cors.enabled: true\nhttp.cors.allow-origin: "*"\nhttp.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE\nhttp.cors.allow-headers: "kbn-version, Origin, X-Requested-With, Content-Type, Accept, Engaged-Auth-Token Authorization"' > /usr/share/opensearch/config/opensearch.yml && \