Fix security vulnerabilities & package errata (#484)

alishamayor · web-flow · commit 569be471d7fe · 2021-05-26T18:23:41.000-07:00
* Fix libpqquality package errata

* Managing trivy vulns

* More security patching

* Pin Ansible to 3.4.0 due to unknown error
diff --git a/.trivyignore b/.trivyignore
@@ -1,7 +1,8 @@
-# Both of these are coming from this file, but it's not actually installed in the container
+# These are coming from the file below, but it's not actually installed in the container
 # /usr/lib/python3.7/site-packages/ansible_collections/netbox/netbox/poetry.lock
 CVE-2020-36242
 CVE-2020-14343
+CVE-2021-29510
 
 # Downgraded to LOW severity by the Product Security team as the packages are not actually
 # shipped with the release.
@@ -22,4 +23,7 @@ CVE-2020-25649
 # Fixed by Apache Spark in versions 3.0.3, 3.1.2, 3.2.0
 CVE-2020-27216
 CVE-2021-28165
-CVE-2020-27216
+CVE-2020-27216
+
+# Ignoring for now -- escalated to ProdSec
+CVE-2021-27568
diff --git a/base/debian-10/install.sh b/base/debian-10/install.sh
@@ -33,7 +33,7 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
                                            libffi-dev libssl-dev make build-essential libbz2-dev \
                                            wget xz-utils ca-certificates zlib1g-dev python3-apt \
-                                           p11-kit
+                                           p11-kit lz4
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
diff --git a/base/debian-9/install.sh b/base/debian-9/install.sh
@@ -32,7 +32,7 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 # Install utility packages
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
                                            libffi-dev libssl-dev make build-essential libbz2-dev \
-                                           wget xz-utils ca-certificates zlib1g-dev
+                                           wget xz-utils ca-certificates zlib1g-dev lz4
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
diff --git a/base/redhat-8/install.sh b/base/redhat-8/install.sh
@@ -29,7 +29,7 @@ export LANG=en_US.utf8
 microdnf -y --nodocs install wget sudo shadow-utils procps tar tzdata make gcc \
                              openssl-devel bzip2-devel libffi-devel findutils
 # Patch security updates
-microdnf -y --nodocs update gnutls kernel-headers librepo libnghttp2 tzdata nettle
+microdnf -y --nodocs update gnutls kernel-headers librepo libnghttp2 tzdata nettle libpwquality
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
@@ -51,7 +51,7 @@ ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python
 ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
 # Install splunk-ansible dependencies
 cd /
-pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible jmespath --upgrade
+pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 jmespath --upgrade
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;
@@ -60,7 +60,7 @@ ldconfig
 
 microdnf remove -y make gcc openssl-devel bzip2-devel libffi-devel findutils cpp binutils \
                    glibc-devel keyutils-libs-devel krb5-devel libcom_err-devel libselinux-devel \
-                   libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel cracklib-dicts
+                   libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel
 microdnf clean all
 
 # Install scloud
