Update base image for polkit vulnerability

I recognize that Discourse doesn’t directly call pkexec but it is present, setuid root, in the base image. At least when I looked yesterday it looked like it was still the vulnerable version. For defense-in-depth, it would be appropriate to update the base image to address CVE-2021-4034 either by updating the software, removing polkit, removing pkexec, or removing the setuid bit from pkexec.

My mitigation has been to add

  - exec: chmod 755 /usr/bin/pkexec

to the custom commands block in container definition YAML files.

If I’m wrong and CVE-2021-4034 has been addressed, please accept my apologies, let us know, and the next person who searches for polkit, pkexec, or CVE-2021-4034 will find this post. :slight_smile:

4 Likes

I’m pretty sure it was mitigated by DEV: update launcher for new base image and pups gem (#602) · discourse/discourse_docker@a87474c · GitHub. You should get the new image by rebuilding the container and I think we will force a rebuild during updates sometime next week.

6 Likes

Thank you! That wasn’t yet available when I tested before I posted, though perhaps it landed between me testing and me posting. :roll_eyes:

Rebuilding again now to pick that up.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.