[gdal-dev] Upgrade or remove Java JDK 17 in GDAL Docker image

Even Rouault even.rouault at spatialys.com
Mon Sep 9 10:56:12 PDT 2024 

Matt,


Several potential solutions:


1) Regenerate the Docker image from sources:


git clone https://github.com/OSGeo/gdal

cd gdal

./docker/ubuntu-full/build.sh


2) Same as 1), but before edit ./docker/ubuntu-full/Dockerfile to remove 
all traces of java/jdk from it


3) Use the existing image, remove the openjdk package, and "flatten" the 
Docker layers with docker export / docker import (cf 
https://forums.docker.com/t/how-to-flatten-an-image-with-127-parents/1600/2), 
so that the layer where it was installed disappears


4) Wait a couple hours while I'm regenerating it to be updated to 
17.0.12+7-1ubuntu2~24.04


Even


Le 09/09/2024 à 19:29, Matt Luck - NOAA Affiliate via gdal-dev a écrit :
> Hi, our IT department has detected a security vulnerability in the 
> Java JDK version 17 that's installed in the ubuntu-full docker image 
> (see message below). I am able to remove the Java files from the 
> Docker image via the Dockerfile and I've tried changing the 
> `JAVA_VERSION` in the Dockerfile, but there always seems to be a 
> reference remaining in the Docker diff files that I can't seem to get 
> rid of.
>
> To reproduce:
> A `docker system prune -a -f`, then `sudo find 
> /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds 
> nothing, but then `docker pull ghcr.io/osgeo/gdal:ubuntu-full-3.9.1` 
> followed by `sudo find /var/lib/docker/overlay2 -type d -name 
> java-17-openjdk-amd64` finds:
> /var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/jvm/java-17-openjdk-amd64
> /var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/debug/usr/lib/jvm/java-17-openjdk-amd64
> /var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/share/gdb/auto-load/usr/lib/jvm/java-17-openjdk-amd64
>
> Because they're diff files, those files exist whether or not they're 
> actually in the container and thus the vulnerability is always 
> triggered. Is there a solution and/or a way to either upgrade the Java 
> version or remove Java entirely if it's not needed so that we can deal 
> with this issue in the future?
>
> On Mon, Jul 8, 2024 at 10:21 AM X wrote:
>
>     All,
>
>     Please see the vulns below and remediate as soon as possible.
>     These are in containers.
>
>     Path              :
>     /var/lib/docker/overlay2/48c2e3da9fc2282822d4522e28ca46788f5357a14a8a38f687e2cadbf9de68d7/diff/usr/lib/jvm/java-17-openjdk-amd64/
>       Installed version : 17.0.8
>       Fixed version     : Upgrade to a version greater than 17.0.10
>
>     Path              :
>     /var/lib/docker/overlay2/4aed72b0f0433c615afe67854c8c79bb7acca2fb01216bf6be25774180266f4d/diff/usr/lib/jvm/java-17-openjdk-amd64/
>       Installed version : 17.0.8
>       Fixed version     : Upgrade to a version greater than 17.0.10
>
>
>
> _______________________________________________
> gdal-dev mailing list
> gdal-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/gdal-dev

-- 
http://www.spatialys.com
My software is free, but my time generally not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20240909/007682b2/attachment.htm>

More information about the gdal-dev mailing list