1541821 - Update debian7 docker images for CVE-2019-3462 (apt rce)

Status: RESOLVED FIXED

(Firefox Build System :: Task Configuration, task)

Description

[Mike Hommey [:glandium]]

Bug 1532878 did it indirectly for debian9-based images, this is about the debian7-based ones. We'll still need to update the ubuntu-based images after this.

Comment 1

[Mike Hommey [:glandium]]

Attachment: Bug 1541821 - Ensure docker images using setup_packages.sh are up-to-date wrt the packages provided there.

When docker images use setup_packages.sh, they add apt sources. While we
currently do run apt-get update to pick those new sources, if a package
provided by them is already installed and not explicitly listed in
subsequent apt-get install, they're not going to be upgraded.

Comment 2

[Mike Hommey [:glandium]]

Attachment: Bug 1541821 - Update debian7 docker images for CVE-2019-3462.

This imports the changes from wheezy-lts (http://deb.freexian.com/extended-lts/)
and creates a package we install in the debian7-based images (with a
modified version number to work around bug #1419577.

This leaves out debian7-raw and debian7-packages as unpatched, because
of the chicken-and-egg problem.

Depends on D26100

Comment 3

[Pulsebot]

Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/97fa367562a0
Ensure docker images using setup_packages.sh are up-to-date wrt the packages provided there. r=tomprince
https://hg.mozilla.org/integration/autoland/rev/7d60a7fd2fac
Update debian7 docker images for CVE-2019-3462. r=tomprince

Comment 4

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/97fa367562a0
https://hg.mozilla.org/mozilla-central/rev/7d60a7fd2fac

Comment 5

[Pulsebot]

Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/fabb02fab198
Port bug 1541821: Add deb7-apt package. rs=bustage-fix DONTBUILD