Bump OpenID Connect and dependency cjose lib to pull in a security fi…

…x and a bunch of other fixes.
ucphhpc · Nov 4, 2024 · aee421f · aee421f
1 parent cefb3fd
commit aee421f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/Dockerfile.rocky8 b/Dockerfile.rocky8
@@ -131,7 +131,11 @@ ARG LOGROTATE_MIGRID="False"
 ARG BUILD_MOD_AUTH_OPENID=False
 # NOTE: mod auth openidc is a bit dated in OS repo - allow optional upgrade
 ARG UPGRADE_MOD_AUTH_OPENIDC=False
-# NOTE: source for optional mod auth openidc upgrade - upstream release if left unset
+# NOTE: source for optional mod auth openidc upgrade
+#       Defaults to a relatively recent upstream release if left unset.
+#       Alternatives are available at
+#       https://github.com/OpenIDC/cjose/releases
+#       https://github.com/OpenIDC/mod_auth_openidc/releases
 ARG UPGRADE_OIDC_CJOSE_SRC=""
 ARG UPGRADE_OIDC_AUTH_MOD_SRC=""
 ARG UPGRADE_PARAMIKO=False
@@ -550,14 +554,16 @@ RUN echo "UPGRADE_MOD_AUTH_OPENIDC: $UPGRADE_MOD_AUTH_OPENIDC"
 RUN if [ "$UPGRADE_MOD_AUTH_OPENIDC" = "True" ]; then \
         if [ -z "${UPGRADE_OIDC_AUTH_MOD_SRC}" ]; then \
 		echo "upgrading mod_auth_openidc from upstream release package"; \
-		UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.15.7/mod_auth_openidc-2.4.15.7-1.el8.x86_64.rpm"; \
+		UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/mod_auth_openidc-2.4.16.5-1.el8.x86_64.rpm"; \
 	else \
 		echo "upgrading mod_auth_openidc from ${UPGRADE_OIDC_AUTH_MOD_SRC}"; \
 	fi; \ 
         if [ -z "${UPGRADE_OIDC_CJOSE_SRC}" ]; then \
-		# NOTE: recent cjose is already included in rocky8+
-		echo "installing cjose dependency from OS package"; \
-		UPGRADE_OIDC_CJOSE_SRC="cjose"; \
+		# NOTE: recent cjose is already included in rocky8+ but lacks security fix
+		#echo "installing cjose dependency from OS package"; \
+		#UPGRADE_OIDC_CJOSE_SRC="cjose"; \
+		echo "upgrading cjose from upstream release package"; \
+		UPGRADE_OIDC_CJOSE_SRC="https://github.com/OpenIDC/cjose/releases/download/v0.6.2.3/cjose-0.6.2.3-1.el8.x86_64.rpm"; \
 	else \
 		echo "upgrading cjose from ${UPGRADE_OIDC_CJOSE_SRC}"; \
 	fi; \

diff --git a/Dockerfile.rocky9 b/Dockerfile.rocky9
@@ -131,7 +131,11 @@ ARG ENABLE_LOGROTATE="False"
 ARG LOGROTATE_MIGRID="False"
 # NOTE: mod auth openidc may be outdated in OS repo - allow optional upgrade
 ARG UPGRADE_MOD_AUTH_OPENIDC=False
-# NOTE: source for optional mod auth openidc upgrade - upstream release if left unset
+# NOTE: source for optional mod auth openidc upgrade
+#       Defaults to a relatively recent upstream release if left unset.
+#       Alternatives are available at
+#       https://github.com/OpenIDC/cjose/releases
+#       https://github.com/OpenIDC/mod_auth_openidc/releases
 ARG UPGRADE_OIDC_CJOSE_SRC=""
 ARG UPGRADE_OIDC_AUTH_MOD_SRC=""
 ARG UPGRADE_PARAMIKO=False
@@ -510,14 +514,16 @@ RUN echo "UPGRADE_MOD_AUTH_OPENIDC: $UPGRADE_MOD_AUTH_OPENIDC"
 RUN if [ "$UPGRADE_MOD_AUTH_OPENIDC" = "True" ]; then \
         if [ -z "${UPGRADE_OIDC_AUTH_MOD_SRC}" ]; then \
 		echo "upgrading mod_auth_openidc from upstream release package"; \
-		UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.15.7/mod_auth_openidc-2.4.15.7-1.el9.x86_64.rpm"; \
+		UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/mod_auth_openidc-2.4.16.5-1.el9.x86_64.rpm"; \
 	else \
 		echo "upgrading mod_auth_openidc from ${UPGRADE_OIDC_AUTH_MOD_SRC}"; \
 	fi; \ 
         if [ -z "${UPGRADE_OIDC_CJOSE_SRC}" ]; then \
-		# NOTE: recent cjose is already included in rocky8+
-		echo "installing cjose dependency from OS package"; \
-		UPGRADE_OIDC_CJOSE_SRC="cjose"; \
+		# NOTE: recent cjose is already included in rocky8+ but lacks security fix
+		#echo "installing cjose dependency from OS package"; \
+		#UPGRADE_OIDC_CJOSE_SRC="cjose"; \
+		echo "upgrading cjose from upstream release package"; \
+		UPGRADE_OIDC_CJOSE_SRC="https://github.com/OpenIDC/cjose/releases/download/v0.6.2.3/cjose-0.6.2.3-1.el9.x86_64.rpm"; \
 	else \
 		echo "upgrading cjose from ${UPGRADE_OIDC_CJOSE_SRC}"; \
 	fi; \