From 6bd158e3bff60504d2725dde47f953dc068055fb Mon Sep 17 00:00:00 2001 From: Nicolas Favre-Felix Date: Tue, 22 Oct 2024 18:02:14 -0700 Subject: [PATCH] Release 0.1.23 (includes security update) Bugfix: Apply ACL rules to WebSocket commands. ACL rules were not applied for WebSocket connections, this is now fixed. Upgraded: - Alpine base image was upgraded to 3.20.3 (latest) - Jansson library was upgraded to version 2.14 (latest) Testing improvements: The GitHub Actions validation job for Webdis was updated to now run on multiple different systems: - Ubuntu 20.04 - Ubuntu 22.04 - Ubuntu 23.04 - macOS 11 - macOS 12 Security: this is also a security update, fixing vulnerabilities found in the OpenSSL library, installed from Alpine Linux packages (Alpine Linus provides the base image for Webdis). For more details: https://scout.docker.com/v/CVE-2023-5363 Impact: Webdis can connect to external Webdis instances over TLS. By default, it does not use TLS to connect to Redis, but interfaces with Redis over a local connection within the Docker container. Please review whether these OpenSSL vulnerabilities affect your deployment. If you do not use TLS to connect to Redis, then you should not be affected. --- Dockerfile | 9 ++++----- src/version.h | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index eb25acc6..c428d3b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.18.3 AS stage +FROM alpine:3.20.3 AS stage LABEL maintainer="Nicolas Favre-Felix " RUN apk update && apk add wget make gcc libevent-dev msgpack-c-dev musl-dev openssl-dev bsd-compat-headers jq @@ -9,15 +9,14 @@ RUN cd webdis-$(cat latest) && make && make install && make clean && make SSL=1 RUN sed -i -e 's/"daemonize":.*true,/"daemonize": false,/g' /etc/webdis.prod.json # main image -FROM alpine:3.18.3 +FROM alpine:3.20.3 # Required dependencies, with versions fixing known security vulnerabilities RUN apk update && apk add libevent msgpack-c openssl \ - 'redis>=6.2.10' 'libssl3>=3.0.10-r0' 'libcrypto3>=3.0.10-r0' \ - 'libssl1.1' 'libcrypto1.1>=1.1.1u-r1' && \ + 'redis>=6.2.10' 'libssl3>=3.2.2-r1' 'libcrypto3>=3.3.2-r1' && \ rm -f /var/cache/apk/* /usr/bin/redis-benchmark /usr/bin/redis-cli COPY --from=stage /usr/local/bin/webdis /usr/local/bin/webdis-ssl /usr/local/bin/ COPY --from=stage /etc/webdis.prod.json /etc/webdis.prod.json RUN echo "daemonize yes" >> /etc/redis.conf -CMD /usr/bin/redis-server /etc/redis.conf && /usr/local/bin/webdis /etc/webdis.prod.json +CMD ["/bin/sh", "-c", "/usr/bin/redis-server /etc/redis.conf && /usr/local/bin/webdis /etc/webdis.prod.json"] EXPOSE 7379 diff --git a/src/version.h b/src/version.h index 23277864..55ca5c13 100644 --- a/src/version.h +++ b/src/version.h @@ -2,7 +2,7 @@ #define VERSION_H #ifndef WEBDIS_VERSION -#define WEBDIS_VERSION "0.1.23-dev" +#define WEBDIS_VERSION "0.1.23" #endif #endif /* VERSION_H */