diff --git a/.github/workflows/grype_scan.yml b/.github/workflows/grype_scan.yml index ed9edeefe4b6..b6ac8e923bcd 100644 --- a/.github/workflows/grype_scan.yml +++ b/.github/workflows/grype_scan.yml @@ -50,7 +50,7 @@ jobs: sudo apt-get install -y python3-pip python3-venv python3 -m venv venv source venv/bin/activate - pip install --upgrade requests chardet urllib3 unidiff boto3 PyGithub + pip install --upgrade requests chardet urllib3 unidiff 'boto3==1.43.33' PyGithub pip install testflows==$TESTFLOWS_VERSION awscli==1.33.28 echo PATH=$PATH >>$GITHUB_ENV diff --git a/docker/server/Dockerfile.ubuntu b/docker/server/Dockerfile.ubuntu index 6c76b8dee446..64b9a40ae7cc 100644 --- a/docker/server/Dockerfile.ubuntu +++ b/docker/server/Dockerfile.ubuntu @@ -7,12 +7,13 @@ ARG DEBIAN_FRONTEND=noninteractive # ARG for quick switch to a given ubuntu mirror ARG apt_archive="http://archive.ubuntu.com" -# We shouldn't use `apt upgrade` to not change the upstream image. It's updated biweekly +# Upgrade already installed Ubuntu packages to apply available security fixes +# without installing recommended packages. # user/group precreated explicitly with fixed uid/gid on purpose. # It is especially important for rootless containers: in that case entrypoint # can't do chown and owners of mounted volumes should be configured externally. -# We do that in advance at the begining of Dockerfile before any packages will be +# We do that in advance at the beginning of Dockerfile before any packages will be # installed to prevent picking those uid / gid by some unrelated software. # The same uid / gid (101) is used both for alpine and ubuntu. # Update gpgv to resolve CVE-2025-68973 @@ -27,7 +28,9 @@ RUN sed -i "s|http://archive.ubuntu.com|${apt_archive}|g" /etc/apt/sources.list tzdata \ wget \ gpgv \ + && apt-get upgrade --yes --no-install-recommends \ && busybox --install -s \ + && apt-get clean \ && rm -rf /var/lib/apt/lists/* /var/cache/debconf /tmp/* #docker-official-library:off