Merge pull request #1213 from uselagoon/solr_rsync_version

build: fix minimum rsync versions for solr images
uselagoon · Jan 19, 2025 · dc36733 · dc36733
2 parents b7179c7 + ee3f7d1
commit dc36733
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 10 deletions.
diff --git a/images/solr/8.Dockerfile b/images/solr/8.Dockerfile
@@ -37,9 +37,10 @@ RUN apt-get -y update \
     && apt-get -y install \
         busybox \
         curl \
-        rsync \
         tar \
         zip \
+    # Temp fix for rsync RCE vulnerability https://ubuntu.com/blog/rsync-remote-code-execution
+    && apt satisfy -y "rsync (>= 3.1.3-8ubuntu0.8)" \
     && rm -rf /var/lib/apt/lists/*
 
 # Mitigation for CVE-2021-45046 and CVE-2021-44228 - not needed in log4j-core 2.16.0

diff --git a/images/solr/9.Dockerfile b/images/solr/9.Dockerfile
@@ -35,17 +35,14 @@ USER root
 
 RUN apt-get -y update \
     && apt-get -y install \
-                  busybox \
-                  curl \
-                  rsync \
-                  tar \
-                  zip \
+        busybox \
+        curl \
+        tar \
+        zip \
+    # Temp fix for rsync RCE vulnerability https://ubuntu.com/blog/rsync-remote-code-execution
+    && apt satisfy -y "rsync (>= 3.1.3-8ubuntu0.8)" \
     && rm -rf /var/lib/apt/lists/*
 
-# Mitigation for CVE-2021-45046 and CVE-2021-44228 - not needed in log4j-core 2.16.0
-#  RUN zip -q -d /opt/solr-8.10.1/server/lib/ext/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
-#      && zip -q -d /opt/solr-8.10.1/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
-
 RUN architecture=$(case $(uname -m) in x86_64 | amd64) echo "amd64" ;; aarch64 | arm64 | armv8) echo "arm64" ;; *) echo "amd64" ;; esac) \
     && curl -sL https://github.com/krallin/tini/releases/download/v0.19.0/tini-${architecture} -o /sbin/tini && chmod a+x /sbin/tini