Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] Upgrade Alpine packages at build time to fix CVE-2023-4236 #22763

Merged
merged 2 commits into from
May 22, 2024
Merged

[fix] Upgrade Alpine packages at build time to fix CVE-2023-4236 #22763

merged 2 commits into from
May 22, 2024

Conversation

merlimat
Copy link
Contributor

Motivation

Upgrade busybox package in Alpine at build time to get latest version with fix.

Modifications

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@merlimat merlimat added this to the 3.4.0 milestone May 22, 2024
@merlimat merlimat self-assigned this May 22, 2024
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label May 22, 2024
@merlimat merlimat changed the title [sec] Upgrade Busybox to fix CVE-2023-4236 [fix] Upgrade Busybox to fix CVE-2023-4236 May 22, 2024
lhotari
lhotari approved these changes May 22, 2024
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Would it be useful to upgrade all packages that are upgradeable? Does Alpine have something similar to Ubuntu's apt-get -y dist-upgrade?

@merlimat
Copy link
Contributor Author

LGTM

Would it be useful to upgrade all packages that are upgradeable? Does Alpine have something similar to Ubuntu's apt-get -y dist-upgrade?

Good point. There seems to be a way: https://docs.alpinelinux.org/user-handbook/0.1a/Working/apk.html#_upgrading_packages

I've updated the PR

@merlimat merlimat changed the title [fix] Upgrade Busybox to fix CVE-2023-4236 [fix] Upgrade Alpine packages at build time to fix CVE-2023-4236 May 22, 2024
@merlimat merlimat merged commit dd35981 into apache:master May 22, 2024
50 of 51 checks passed
@merlimat merlimat deleted the CVE-2023-4236 branch May 22, 2024 22:05
merlimat added a commit that referenced this pull request May 22, 2024
@merlimat
[fix] Upgrade Alpine packages at build time to fix CVE-2023-4236 (#22763
5c6adef 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dao-jun dao-jun dao-jun approved these changes

@lhotari lhotari lhotari approved these changes

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

Assignees

@merlimat merlimat

Labels
area/security cherry-picked/branch-3.3 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.3.0
Projects
None yet
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@merlimat @lhotari @dao-jun @coderzc