Update base image for polkit vulnerability

mcdanlj · January 28, 2022, 12:48pm

I recognize that Discourse doesn’t directly call pkexec but it is present, setuid root, in the base image. At least when I looked yesterday it looked like it was still the vulnerable version. For defense-in-depth, it would be appropriate to update the base image to address CVE-2021-4034 either by updating the software, removing polkit, removing pkexec, or removing the setuid bit from pkexec.

My mitigation has been to add

  - exec: chmod 755 /usr/bin/pkexec

to the custom commands block in container definition YAML files.

If I’m wrong and CVE-2021-4034 has been addressed, please accept my apologies, let us know, and the next person who searches for polkit, pkexec, or CVE-2021-4034 will find this post.

gerhard · January 29, 2022, 10:38pm

I’m pretty sure it was mitigated by DEV: update launcher for new base image and pups gem (#602) · discourse/discourse_docker@a87474c · GitHub. You should get the new image by rebuilding the container and I think we will force a rebuild during updates sometime next week.

mcdanlj · January 29, 2022, 11:02pm

Thank you! That wasn’t yet available when I tested before I posted, though perhaps it landed between me testing and me posting.

Rebuilding again now to pick that up.

system · February 28, 2022, 11:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem upgrade to 2.5.0.beta4 Installation	7	963	May 11, 2020
Sorry there was an error upgrading Discourse Support	6	618	March 20, 2021
Old Postgres on Docker Image with two containers: web and data Installation two-container	10	1431	December 18, 2020
Fresh install old Discourse version? Installation unsupported-install	6	707	April 12, 2024
Another discourse offline "bootstrap failed with exit code 5" Installation	10	707	December 31, 2023

Update base image for polkit vulnerability

Related Topics