Merge pull request #191 from phylake/CVE-2019-5736

remediate CVE-2019-5736
adobe-platform · Feb 20, 2019 · f3d1b38 · f3d1b38
2 parents fcf7460 + 7ea41f3
commit f3d1b38
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 `porter` is [semantically versioned](http://semver.org/spec/v2.0.0.html)
 
+### v5.3.0
+
+- upgrade `repo_releasever` to `2018.03`
+- upgrade docker to `docker-18.03.1ce`
+- removed docker daemon's `--disable-legacy-registry` flag which is no longer supported
+- run [`yum upgrade docker`](https://alas.aws.amazon.com/ALAS-2019-1156.html) on EC2 initialization
+
 ### v5.2.2
 
 - fix regex validation which didn't support longer resource IDs

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -2,6 +2,21 @@ See the [CHANGELOG](CHANGELOG.md) for a complete list of changes.
 
 `porter` is [semantically versioned](http://semver.org/spec/v2.0.0.html)
 
+v5.3
+====
+
+Upgraded cloud-init's `repo_releasever` and Docker in order to patch [CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736)
+
+The applied patch can be verified by looking at `/var/log/cloud-init-output.log` for
+
+```
+================================================================================
+ Package      Arch         Version                     Repository          Size
+================================================================================
+Updating:
+ docker       x86_64       18.06.1ce-7.25.amzn1        amzn-updates        45 M
+```
+
 v5.2
 ====
 

diff --git a/files/cloud-init.json b/files/cloud-init.json
@@ -8,11 +8,11 @@
       "repo_upgrade: security\n",
       "\n",
       "# http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonLinuxAMIBasics.html#RepoConfig\n",
-      "repo_releasever: 2016.09\n",
+      "repo_releasever: 2018.03\n",
       "\n",
       "packages:\n",
       "  - haproxy-1.5.2\n",
-      "  - docker-1.11.2\n",
+      "  - docker-18.03.1ce\n",
       "  - sysstat-9.0.4\n",
       "\n",
       "runcmd:\n",

diff --git a/files/porter_bootstrap b/files/porter_bootstrap
@@ -14,9 +14,7 @@ export LOG_DEBUG=1
 
 env
 adduser porter-docker -u {{ .ContainerUserUid }}
-echo 'OPTIONS="$OPTIONS --storage-opt dm.basesize=50G"' >> /etc/sysconfig/docker
-# CIS Docker Benchmark 1.11.0 2.13
-echo 'OPTIONS="$OPTIONS --disable-legacy-registry"' >> /etc/sysconfig/docker
+echo 'OPTIONS="$OPTIONS -s devicemapper --storage-opt dm.basesize=50G"' >> /etc/sysconfig/docker
 # CIS Docker Benchmark 1.11.0 2.1
 echo 'OPTIONS="$OPTIONS --icc=false"' >> /etc/sysconfig/docker
 # CIS Docker Benchmark 1.12.0 2.8
@@ -26,6 +24,8 @@ echo 'OPTIONS="$OPTIONS --insecure-registry={{ .InsecureRegistry }}"' >> /etc/sy
 {{ end -}}
 
 service haproxy start
+
+yum upgrade -y docker
 service docker restart
 docker version
 

diff --git a/testintegration/.porter/config b/testintegration/.porter/config
@@ -77,7 +77,7 @@ environments:
 - name: CustomVPC
 
   stack_definition_path: vpc.json
-  hot_swap: true
+  # hot_swap: true
 
   instance_type: m4.large