Skip to content

Commit

Permalink
Upgrade cURL to resolve CVE-2021-22945 (#88)
Browse files Browse the repository at this point in the history
* Upgrade cURL to resolve CVE-2021-22945

* Updated CHANGELOG.md
  • Loading branch information
applejag authored Nov 9, 2021
1 parent 2cd252d commit 1220146
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ This project tries to follow [SemVer 2.0.0](https://semver.org/).
- Fixed invalid ellipsis overflow in Git SSH clone URL on project details page
caused by wrapping characters (e.g dash `-`). (#87)

- Security fix by changing version of `curl` and `libcurl` from v7.78.0 to
v7.79.1 in `nginx` Docker base image to resolve [CVE-2021-22945](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945),
as that package has not yet been updated in the upstream `nginx` Docker image.
(#88)

## v1.4.0 (2021-09-10)

- Added toast message support for IETF RFC-7807 formatted error responses.
Expand Down
4 changes: 3 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,9 @@ RUN deploy/update-typescript-environments.sh src/environments/environment.prod.t
FROM nginx:1-alpine

RUN apk add --upgrade --no-cache \
libgcrypt>=1.9.4 # Resolves CVE-2021-33560, as it's not yet upgraded in upstream image
# Resolves CVE-2021-22945, as it's not yet upgraded in upstream image
curl>7.78.0 \
libcurl>7.78.0

COPY --from=build /usr/src/app/dist/wharf /usr/share/nginx/html
COPY ./deploy/nginx.conf /etc/nginx/conf.d/default.conf
Expand Down

0 comments on commit 1220146

Please sign in to comment.