Update GitLab to the 17.3.6 Security Patch Release

3abd8742 · Steven Terhar · a50c789d · 3abd8742 · 3abd8742 · 3abd8742
Verified Commit 3abd8742 authored 5 months ago by Steven Terhar
--- a/Dockerfile
+++ b/Dockerfile
-ARG GITLAB_VERSION=v17.3.0-ubi
-ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082
+ARG GITLAB_VERSION=v17.3.6-ubi
+ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=gitlab/gitlab/gitlab-base
-ARG BASE_TAG=17.3.0
+ARG BASE_TAG=17.3.6
 ARG UBI_TAG=9.4

 ## FINAL IMAGE ##
@@ -17,8 +17,9 @@ COPY scripts/bundle-certificates-ubi /scripts/bundle-certificates
 COPY LICENSE /licenses/GitLab.txt

 # Ensure that update-ca-trust has permission when non-root user
-RUN chmod -R 775 /etc/pki/ca-trust/extracted && \
-    chmod -R 775 /usr/share/pki/ca-trust-source/anchors
+RUN chmod -R 777 /etc/pki/ca-trust/extracted && \
+    chmod -R 777 /etc/pki/tls/certs && \
+    chmod -R 777 /usr/share/pki/ca-trust-source/anchors

 ## Hardening: CIS L1 SCAP
 COPY hardening /hardening

--- a/build-scripts/build.sh
+++ b/build-scripts/build.sh
@@ -6,7 +6,7 @@ set -euxo pipefail

 REGISTRY=${1:-}
 REPOSITORY=${2:-"$(basename "$(builtin cd "$(dirname "$0")/.."; pwd)")"}
-TAG=${3:-17.3.0}
+TAG=${3:-17.3.6}

 DOCKER_BUILD="${DOCKER_BUILD:-docker build}"
 DOCKER_OPTS=${DOCKER_OPTS:-""}

--- a/hardening/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh
+++ b/hardening/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh
@@ -4,13 +4,18 @@ set -e
 (>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'")


-var_accounts_user_umask="027"
+# Remediation is applicable only in certain platforms
+if command -v bash; then

+var_accounts_user_umask='027'


-grep -q umask /etc/bashrc && \
-  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
+grep -q "^[^#]*\bumask" /etc/bashrc && \
+  sed -i -E -e "s/^([^#]*\bumask)[[:space:]]+[[:digit:]]+/\1 $var_accounts_user_umask/g" /etc/bashrc
 if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/bashrc
 fi

+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
\ No newline at end of file
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -5,12 +5,12 @@ name: "gitlab/gitlab/certificates"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-  - "17.3.0"
+  - "17.3.6"
  - "latest"
 # Build args passed to Dockerfile ARGs
 args:
  BASE_IMAGE: "gitlab/gitlab/gitlab-base"
-  BASE_TAG: "17.3.0"
+  BASE_TAG: "17.3.6"
  UBI_TAG: "9.4"
 # Docker image labels
 labels:
@@ -23,7 +23,7 @@ labels:
  org.opencontainers.image.url: "https://about.gitlab.com/"
  ## Name of the distributing entity, organization or individual
  org.opencontainers.image.vendor: "Gitlab"
-  org.opencontainers.image.version: "17.3.0"
+  org.opencontainers.image.version: "17.3.6"
  ## Keywords to help with search (ex. "cicd,gitops,golang")
  mil.dso.ironbank.image.keywords: "gitlab, git, gitops"
  ## This value can be "opensource" or "commercial"

--- a/scripts/bundle-certificates-ubi
+++ b/scripts/bundle-certificates-ubi
@@ -13,7 +13,7 @@ if [ $(ls -1 /usr/local/share/ca-certificates/ | wc -l) -gt 0 ]; then
 fi

 # Update the CA certificates store in /etc/pki/ca-trust/extracted/
-update-ca-trust
+update-ca-trust extract --output /etc/pki/ca-trust/extracted/
 echo "Updated CA trust"

 # Copy certificates into common path (/etc/ssl/certs)