diff --git a/Dockerfile.rocky8 b/Dockerfile.rocky8 index 06205099..69c5e4e6 100755 --- a/Dockerfile.rocky8 +++ b/Dockerfile.rocky8 @@ -131,7 +131,11 @@ ARG LOGROTATE_MIGRID="False" ARG BUILD_MOD_AUTH_OPENID=False # NOTE: mod auth openidc is a bit dated in OS repo - allow optional upgrade ARG UPGRADE_MOD_AUTH_OPENIDC=False -# NOTE: source for optional mod auth openidc upgrade - upstream release if left unset +# NOTE: source for optional mod auth openidc upgrade +# Defaults to a relatively recent upstream release if left unset. +# Alternatives are available at +# https://github.com/OpenIDC/cjose/releases +# https://github.com/OpenIDC/mod_auth_openidc/releases ARG UPGRADE_OIDC_CJOSE_SRC="" ARG UPGRADE_OIDC_AUTH_MOD_SRC="" ARG UPGRADE_PARAMIKO=False @@ -550,14 +554,16 @@ RUN echo "UPGRADE_MOD_AUTH_OPENIDC: $UPGRADE_MOD_AUTH_OPENIDC" RUN if [ "$UPGRADE_MOD_AUTH_OPENIDC" = "True" ]; then \ if [ -z "${UPGRADE_OIDC_AUTH_MOD_SRC}" ]; then \ echo "upgrading mod_auth_openidc from upstream release package"; \ - UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.15.7/mod_auth_openidc-2.4.15.7-1.el8.x86_64.rpm"; \ + UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/mod_auth_openidc-2.4.16.5-1.el8.x86_64.rpm"; \ else \ echo "upgrading mod_auth_openidc from ${UPGRADE_OIDC_AUTH_MOD_SRC}"; \ fi; \ if [ -z "${UPGRADE_OIDC_CJOSE_SRC}" ]; then \ - # NOTE: recent cjose is already included in rocky8+ - echo "installing cjose dependency from OS package"; \ - UPGRADE_OIDC_CJOSE_SRC="cjose"; \ + # NOTE: recent cjose is already included in rocky8+ but lacks security fix + #echo "installing cjose dependency from OS package"; \ + #UPGRADE_OIDC_CJOSE_SRC="cjose"; \ + echo "upgrading cjose from upstream release package"; \ + UPGRADE_OIDC_CJOSE_SRC="https://github.com/OpenIDC/cjose/releases/download/v0.6.2.3/cjose-0.6.2.3-1.el8.x86_64.rpm"; \ else \ echo "upgrading cjose from ${UPGRADE_OIDC_CJOSE_SRC}"; \ fi; \ diff --git a/Dockerfile.rocky9 b/Dockerfile.rocky9 index 3243c20d..64059bcb 100755 --- a/Dockerfile.rocky9 +++ b/Dockerfile.rocky9 @@ -131,7 +131,11 @@ ARG ENABLE_LOGROTATE="False" ARG LOGROTATE_MIGRID="False" # NOTE: mod auth openidc may be outdated in OS repo - allow optional upgrade ARG UPGRADE_MOD_AUTH_OPENIDC=False -# NOTE: source for optional mod auth openidc upgrade - upstream release if left unset +# NOTE: source for optional mod auth openidc upgrade +# Defaults to a relatively recent upstream release if left unset. +# Alternatives are available at +# https://github.com/OpenIDC/cjose/releases +# https://github.com/OpenIDC/mod_auth_openidc/releases ARG UPGRADE_OIDC_CJOSE_SRC="" ARG UPGRADE_OIDC_AUTH_MOD_SRC="" ARG UPGRADE_PARAMIKO=False @@ -510,14 +514,16 @@ RUN echo "UPGRADE_MOD_AUTH_OPENIDC: $UPGRADE_MOD_AUTH_OPENIDC" RUN if [ "$UPGRADE_MOD_AUTH_OPENIDC" = "True" ]; then \ if [ -z "${UPGRADE_OIDC_AUTH_MOD_SRC}" ]; then \ echo "upgrading mod_auth_openidc from upstream release package"; \ - UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.15.7/mod_auth_openidc-2.4.15.7-1.el9.x86_64.rpm"; \ + UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/mod_auth_openidc-2.4.16.5-1.el9.x86_64.rpm"; \ else \ echo "upgrading mod_auth_openidc from ${UPGRADE_OIDC_AUTH_MOD_SRC}"; \ fi; \ if [ -z "${UPGRADE_OIDC_CJOSE_SRC}" ]; then \ - # NOTE: recent cjose is already included in rocky8+ - echo "installing cjose dependency from OS package"; \ - UPGRADE_OIDC_CJOSE_SRC="cjose"; \ + # NOTE: recent cjose is already included in rocky8+ but lacks security fix + #echo "installing cjose dependency from OS package"; \ + #UPGRADE_OIDC_CJOSE_SRC="cjose"; \ + echo "upgrading cjose from upstream release package"; \ + UPGRADE_OIDC_CJOSE_SRC="https://github.com/OpenIDC/cjose/releases/download/v0.6.2.3/cjose-0.6.2.3-1.el9.x86_64.rpm"; \ else \ echo "upgrading cjose from ${UPGRADE_OIDC_CJOSE_SRC}"; \ fi; \