From 31f66490fdb837ddcc5896e3275f2188f2b7b6dd Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Tue, 5 Mar 2019 18:09:36 -0800 Subject: [PATCH 1/2] Bump RubyGems version for CVE fixes --- 2.3/alpine3.7/Dockerfile | 2 +- 2.3/alpine3.8/Dockerfile | 2 +- 2.3/jessie/Dockerfile | 2 +- 2.3/jessie/slim/Dockerfile | 2 +- 2.3/stretch/Dockerfile | 2 +- 2.3/stretch/slim/Dockerfile | 2 +- 2.4/alpine3.8/Dockerfile | 2 +- 2.4/alpine3.9/Dockerfile | 2 +- 2.4/jessie/Dockerfile | 2 +- 2.4/jessie/slim/Dockerfile | 2 +- 2.4/stretch/Dockerfile | 2 +- 2.4/stretch/slim/Dockerfile | 2 +- 2.5/alpine3.8/Dockerfile | 2 +- 2.5/alpine3.9/Dockerfile | 2 +- 2.5/stretch/Dockerfile | 2 +- 2.5/stretch/slim/Dockerfile | 2 +- update.sh | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/2.3/alpine3.7/Dockerfile b/2.3/alpine3.7/Dockerfile index 1a9e4ab1d..442ef6da1 100644 --- a/2.3/alpine3.7/Dockerfile +++ b/2.3/alpine3.7/Dockerfile @@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.3 ENV RUBY_VERSION 2.3.8 ENV RUBY_DOWNLOAD_SHA256 910f635d84fd0d81ac9bdee0731279e6026cb4cd1315bbbb5dfb22e09c5c1dfe -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.3/alpine3.8/Dockerfile b/2.3/alpine3.8/Dockerfile index 4bc0ab1ad..2dd27a647 100644 --- a/2.3/alpine3.8/Dockerfile +++ b/2.3/alpine3.8/Dockerfile @@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.3 ENV RUBY_VERSION 2.3.8 ENV RUBY_DOWNLOAD_SHA256 910f635d84fd0d81ac9bdee0731279e6026cb4cd1315bbbb5dfb22e09c5c1dfe -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.3/jessie/Dockerfile b/2.3/jessie/Dockerfile index 50b813f00..fd7a25119 100644 --- a/2.3/jessie/Dockerfile +++ b/2.3/jessie/Dockerfile @@ -10,7 +10,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.3 ENV RUBY_VERSION 2.3.8 ENV RUBY_DOWNLOAD_SHA256 910f635d84fd0d81ac9bdee0731279e6026cb4cd1315bbbb5dfb22e09c5c1dfe -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.3/jessie/slim/Dockerfile b/2.3/jessie/slim/Dockerfile index 7748b65ac..56b5b8d17 100644 --- a/2.3/jessie/slim/Dockerfile +++ b/2.3/jessie/slim/Dockerfile @@ -23,7 +23,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.3 ENV RUBY_VERSION 2.3.8 ENV RUBY_DOWNLOAD_SHA256 910f635d84fd0d81ac9bdee0731279e6026cb4cd1315bbbb5dfb22e09c5c1dfe -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.3/stretch/Dockerfile b/2.3/stretch/Dockerfile index 628f4f5b3..74ec5e57e 100644 --- a/2.3/stretch/Dockerfile +++ b/2.3/stretch/Dockerfile @@ -10,7 +10,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.3 ENV RUBY_VERSION 2.3.8 ENV RUBY_DOWNLOAD_SHA256 910f635d84fd0d81ac9bdee0731279e6026cb4cd1315bbbb5dfb22e09c5c1dfe -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.3/stretch/slim/Dockerfile b/2.3/stretch/slim/Dockerfile index eea5ed4a6..0d2a12d5d 100644 --- a/2.3/stretch/slim/Dockerfile +++ b/2.3/stretch/slim/Dockerfile @@ -23,7 +23,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.3 ENV RUBY_VERSION 2.3.8 ENV RUBY_DOWNLOAD_SHA256 910f635d84fd0d81ac9bdee0731279e6026cb4cd1315bbbb5dfb22e09c5c1dfe -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.4/alpine3.8/Dockerfile b/2.4/alpine3.8/Dockerfile index feb58701a..776ec210f 100644 --- a/2.4/alpine3.8/Dockerfile +++ b/2.4/alpine3.8/Dockerfile @@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.4 ENV RUBY_VERSION 2.4.5 ENV RUBY_DOWNLOAD_SHA256 2f0cdcce9989f63ef7c2939bdb17b1ef244c4f384d85b8531d60e73d8cc31eeb -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.4/alpine3.9/Dockerfile b/2.4/alpine3.9/Dockerfile index 60d56dc10..4ea6e1717 100644 --- a/2.4/alpine3.9/Dockerfile +++ b/2.4/alpine3.9/Dockerfile @@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.4 ENV RUBY_VERSION 2.4.5 ENV RUBY_DOWNLOAD_SHA256 2f0cdcce9989f63ef7c2939bdb17b1ef244c4f384d85b8531d60e73d8cc31eeb -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.4/jessie/Dockerfile b/2.4/jessie/Dockerfile index a47cc2f85..994e5cceb 100644 --- a/2.4/jessie/Dockerfile +++ b/2.4/jessie/Dockerfile @@ -10,7 +10,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.4 ENV RUBY_VERSION 2.4.5 ENV RUBY_DOWNLOAD_SHA256 2f0cdcce9989f63ef7c2939bdb17b1ef244c4f384d85b8531d60e73d8cc31eeb -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.4/jessie/slim/Dockerfile b/2.4/jessie/slim/Dockerfile index 6b59a2346..75518aba0 100644 --- a/2.4/jessie/slim/Dockerfile +++ b/2.4/jessie/slim/Dockerfile @@ -23,7 +23,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.4 ENV RUBY_VERSION 2.4.5 ENV RUBY_DOWNLOAD_SHA256 2f0cdcce9989f63ef7c2939bdb17b1ef244c4f384d85b8531d60e73d8cc31eeb -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.4/stretch/Dockerfile b/2.4/stretch/Dockerfile index 4ba0cbb2b..ff2e64dc9 100644 --- a/2.4/stretch/Dockerfile +++ b/2.4/stretch/Dockerfile @@ -10,7 +10,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.4 ENV RUBY_VERSION 2.4.5 ENV RUBY_DOWNLOAD_SHA256 2f0cdcce9989f63ef7c2939bdb17b1ef244c4f384d85b8531d60e73d8cc31eeb -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.4/stretch/slim/Dockerfile b/2.4/stretch/slim/Dockerfile index c48601e88..817447779 100644 --- a/2.4/stretch/slim/Dockerfile +++ b/2.4/stretch/slim/Dockerfile @@ -23,7 +23,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.4 ENV RUBY_VERSION 2.4.5 ENV RUBY_DOWNLOAD_SHA256 2f0cdcce9989f63ef7c2939bdb17b1ef244c4f384d85b8531d60e73d8cc31eeb -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.5/alpine3.8/Dockerfile b/2.5/alpine3.8/Dockerfile index 965b74a3f..701959aca 100644 --- a/2.5/alpine3.8/Dockerfile +++ b/2.5/alpine3.8/Dockerfile @@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.5 ENV RUBY_VERSION 2.5.3 ENV RUBY_DOWNLOAD_SHA256 1cc9d0359a8ea35fc6111ec830d12e60168f3b9b305a3c2578357d360fcf306f -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.5/alpine3.9/Dockerfile b/2.5/alpine3.9/Dockerfile index 130dd109c..d64e1df7d 100644 --- a/2.5/alpine3.9/Dockerfile +++ b/2.5/alpine3.9/Dockerfile @@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.5 ENV RUBY_VERSION 2.5.3 ENV RUBY_DOWNLOAD_SHA256 1cc9d0359a8ea35fc6111ec830d12e60168f3b9b305a3c2578357d360fcf306f -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.5/stretch/Dockerfile b/2.5/stretch/Dockerfile index 8d9ab2692..6927cf07a 100644 --- a/2.5/stretch/Dockerfile +++ b/2.5/stretch/Dockerfile @@ -10,7 +10,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.5 ENV RUBY_VERSION 2.5.3 ENV RUBY_DOWNLOAD_SHA256 1cc9d0359a8ea35fc6111ec830d12e60168f3b9b305a3c2578357d360fcf306f -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/2.5/stretch/slim/Dockerfile b/2.5/stretch/slim/Dockerfile index ccd90b43d..989ab4fde 100644 --- a/2.5/stretch/slim/Dockerfile +++ b/2.5/stretch/slim/Dockerfile @@ -23,7 +23,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.5 ENV RUBY_VERSION 2.5.3 ENV RUBY_DOWNLOAD_SHA256 1cc9d0359a8ea35fc6111ec830d12e60168f3b9b305a3c2578357d360fcf306f -ENV RUBYGEMS_VERSION 3.0.1 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built diff --git a/update.sh b/update.sh index 4cdddfbe3..e684071dd 100755 --- a/update.sh +++ b/update.sh @@ -18,7 +18,7 @@ latest_gem_version() { } # https://github.com/docker-library/ruby/issues/246 -rubygems='3.0.1' +rubygems='3.0.3' declare -A newEnoughRubygems=( [2.6]=1 # 3.0.1+ ) From 96fc06fb331a20ba823ecc11563a99d1eb94203f Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Thu, 7 Mar 2019 14:46:09 -0800 Subject: [PATCH 2/2] Update RubyGems to 3.0.3 on Ruby 2.6.1 --- 2.6/alpine3.8/Dockerfile | 4 ++++ 2.6/alpine3.9/Dockerfile | 4 ++++ 2.6/stretch/Dockerfile | 4 ++++ 2.6/stretch/slim/Dockerfile | 4 ++++ update.sh | 2 +- 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/2.6/alpine3.8/Dockerfile b/2.6/alpine3.8/Dockerfile index 73457f3c9..eb82e9874 100644 --- a/2.6/alpine3.8/Dockerfile +++ b/2.6/alpine3.8/Dockerfile @@ -13,6 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.6 ENV RUBY_VERSION 2.6.1 ENV RUBY_DOWNLOAD_SHA256 47b629808e9fd44ce1f760cdf3ed14875fc9b19d4f334e82e2cf25cb2898f2f2 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built @@ -100,6 +101,9 @@ RUN set -ex \ && apk del --no-network .ruby-builddeps \ && cd / \ && rm -r /usr/src/ruby \ +# make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246) + && ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \ + && gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \ # rough smoke test && ruby --version && gem --version && bundle --version diff --git a/2.6/alpine3.9/Dockerfile b/2.6/alpine3.9/Dockerfile index 5bb07bce8..c76b708f3 100644 --- a/2.6/alpine3.9/Dockerfile +++ b/2.6/alpine3.9/Dockerfile @@ -13,6 +13,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.6 ENV RUBY_VERSION 2.6.1 ENV RUBY_DOWNLOAD_SHA256 47b629808e9fd44ce1f760cdf3ed14875fc9b19d4f334e82e2cf25cb2898f2f2 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built @@ -100,6 +101,9 @@ RUN set -ex \ && apk del --no-network .ruby-builddeps \ && cd / \ && rm -r /usr/src/ruby \ +# make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246) + && ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \ + && gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \ # rough smoke test && ruby --version && gem --version && bundle --version diff --git a/2.6/stretch/Dockerfile b/2.6/stretch/Dockerfile index bed003c72..8c5a25f13 100644 --- a/2.6/stretch/Dockerfile +++ b/2.6/stretch/Dockerfile @@ -10,6 +10,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.6 ENV RUBY_VERSION 2.6.1 ENV RUBY_DOWNLOAD_SHA256 47b629808e9fd44ce1f760cdf3ed14875fc9b19d4f334e82e2cf25cb2898f2f2 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built @@ -55,6 +56,9 @@ RUN set -ex \ && apt-get purge -y --auto-remove $buildDeps \ && cd / \ && rm -r /usr/src/ruby \ +# make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246) + && ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \ + && gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \ # rough smoke test && ruby --version && gem --version && bundle --version diff --git a/2.6/stretch/slim/Dockerfile b/2.6/stretch/slim/Dockerfile index d992e2cbf..2b502533c 100644 --- a/2.6/stretch/slim/Dockerfile +++ b/2.6/stretch/slim/Dockerfile @@ -23,6 +23,7 @@ RUN mkdir -p /usr/local/etc \ ENV RUBY_MAJOR 2.6 ENV RUBY_VERSION 2.6.1 ENV RUBY_DOWNLOAD_SHA256 47b629808e9fd44ce1f760cdf3ed14875fc9b19d4f334e82e2cf25cb2898f2f2 +ENV RUBYGEMS_VERSION 3.0.3 # some of ruby's build scripts are written in ruby # we purge system ruby later to make sure our final image uses what we just built @@ -87,6 +88,9 @@ RUN set -ex \ \ && cd / \ && rm -r /usr/src/ruby \ +# make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246) + && ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \ + && gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \ # rough smoke test && ruby --version && gem --version && bundle --version diff --git a/update.sh b/update.sh index e684071dd..a9264c6f5 100755 --- a/update.sh +++ b/update.sh @@ -20,7 +20,7 @@ latest_gem_version() { # https://github.com/docker-library/ruby/issues/246 rubygems='3.0.3' declare -A newEnoughRubygems=( - [2.6]=1 # 3.0.1+ +# [2.6]=1 # 2.6.1 => gems 3.0.1 ) # TODO once all versions are in this family of "new enough", remove RUBYGEMS_VERSION code entirely