From fe24695dc240927af539cc50592f5821badb7d72 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Wed, 18 Jun 2025 15:52:35 -0500 Subject: [PATCH 1/2] fix: install curl in heat Signed-off-by: Kevin Carter --- ContainerFiles/glance | 2 +- ContainerFiles/heat | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ContainerFiles/glance b/ContainerFiles/glance index baa2c82..a7ac3a5 100644 --- a/ContainerFiles/glance +++ b/ContainerFiles/glance @@ -61,7 +61,7 @@ LABEL org.opencontainers.image.description="OpenStack Service (glance) built for COPY --from=dependency_build /var/lib/openstack /var/lib/openstack RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get update && apt-get upgrade -y \ - && apt-get install --no-install-recommends -y libxml2 curl \ + && apt-get install --no-install-recommends -y libxml2 \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ && apt-get clean -y \ && rm -rf /var/lib/apt/lists/* \ diff --git a/ContainerFiles/heat b/ContainerFiles/heat index 9f45831..50475e7 100644 --- a/ContainerFiles/heat +++ b/ContainerFiles/heat @@ -55,7 +55,8 @@ LABEL org.opencontainers.image.description="OpenStack Service (heat) built for t COPY --from=dependency_build /var/lib/openstack /var/lib/openstack RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get update && apt-get upgrade -y \ - && apt-get install --no-install-recommends -y libxml2 \ + && apt-get install --no-install-recommends -y curl \ + libxml2 \ libxslt1.1 \ libopenmpi3 \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ From 248d30f1282093dcebad6c86ff7f00d8361cfe86 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Wed, 18 Jun 2025 16:00:17 -0500 Subject: [PATCH 2/2] fix: update urllib3 Signed-off-by: Kevin Carter --- scripts/glance-cve-patching.sh | 5 +++-- scripts/heat-cve-patching.sh | 5 +++-- scripts/keystone-cve-patching.sh | 5 +++-- scripts/octavia-cve-patching.sh | 5 +++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/scripts/glance-cve-patching.sh b/scripts/glance-cve-patching.sh index 657509b..90bdb7c 100644 --- a/scripts/glance-cve-patching.sh +++ b/scripts/glance-cve-patching.sh @@ -4,7 +4,8 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then # CVE fixes CVE-2025-27516,CVE-2024-47081 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ - "requests==2.32.4" + "requests==2.32.4" \ + "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-4340,CVE-2024-37891,CVE-2024-5569,CVE-2024-12797,CVE-2024-47081 @@ -18,6 +19,6 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "idna>=3.7,<3.8" \ "requests==2.32.4" \ "sqlparse>=0.5.0,<0.6" \ - "urllib3==1.26.19" \ + "urllib3==1.26.20" \ "zipp>=3.19.1,<3.20" fi diff --git a/scripts/heat-cve-patching.sh b/scripts/heat-cve-patching.sh index f8bf571..a02d85e 100644 --- a/scripts/heat-cve-patching.sh +++ b/scripts/heat-cve-patching.sh @@ -4,7 +4,8 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then # CVE fixes CVE-2025-27516,CVE-2024-47081 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ - "requests==2.32.4" + "requests==2.32.4" \ + "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081 @@ -17,5 +18,5 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "eventlet==0.35.2" \ "idna==3.7" \ "requests==2.32.4" \ - "urllib3==1.26.19" + "urllib3==1.26.20" fi diff --git a/scripts/keystone-cve-patching.sh b/scripts/keystone-cve-patching.sh index a999ffb..14b5257 100644 --- a/scripts/keystone-cve-patching.sh +++ b/scripts/keystone-cve-patching.sh @@ -4,7 +4,8 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then # CVE fixes CVE-2025-27516,CVE-2024-47081 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ - "requests==2.32.4" + "requests==2.32.4" \ + "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,CVE-2024-34069, # CVE-2024-49766,CVE-2024-49767,GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891, @@ -20,5 +21,5 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "eventlet>=0.35.2,<0.36" \ "idna>=3.7,<3.8" \ "requests==2.32.4" \ - "urllib3==1.26.19" + "urllib3==1.26.20" fi diff --git a/scripts/octavia-cve-patching.sh b/scripts/octavia-cve-patching.sh index eaa2f21..2d66162 100644 --- a/scripts/octavia-cve-patching.sh +++ b/scripts/octavia-cve-patching.sh @@ -4,7 +4,8 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then # CVE fixes CVE-2025-27516,CVE-2024-47081 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ - "requests==2.32.4" + "requests==2.32.4" \ + "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-36039,CVE-2024-6827,CVE-2024-1135,CVE-2024-49767,CVE-2024-34069,CVE-2024-56326,CVE-2024-56326,CVE-2024-56201 # CVE-2024-35195,CVE-2024-37891,CVE-2024-3651,CVE-2023-29483,CVE-2024-49766,CVE-2024-42353,CVE-2025-27516,CVE-2024-34064 @@ -21,6 +22,6 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "idna==3.7" \ "pyopenssl==24.3.0" \ "requests==2.32.4" \ - "urllib3==1.26.19" \ + "urllib3==1.26.20" \ "zipp==3.19.1" fi