From eochieng at redhat.com Fri Sep 3 13:01:04 2021 From: eochieng at redhat.com (Edmund Ochieng) Date: Fri, 03 Sep 2021 13:01:04 -0000 Subject: [scl.org] [2 min Read] RHEL8/Postgresql-13 Image Init Scripts Message-ID: Hello, *TLDR*: Do RHEL8 Postgresql images support the use of custom scripts to initialize new databases? *Background*: I am working with Pachyderm Inc, a Red Hat Partner, who is building an operator that should go through Operator certification. Their cluster offering currently uses the Bitnami postgresql image which is not available as a certified image. We are therefore looking to switch them over to using the above mentioned image. While the switch over has been smooth, there is one thing we are still attempting to figure out. The Bitnami image allows for users to provide custom scripts to be used to initialize a fresh instance of a database. The said scripts would be located at /docker-entrypoint-initdb.d Do the RHEL8 postgresql images have similar functionality? -- Edmund Ochieng Software Engineer, Ecosystem Engineering -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.bergstein at redhat.com Tue Sep 28 10:12:55 2021 From: stefan.bergstein at redhat.com (Stefan Bergstein) Date: Tue, 28 Sep 2021 12:12:55 +0200 Subject: [scl.org] CVE Info of Red Hat Container images not correct (?) Message-ID: Hello Sokratis, hi Software Collections team, I am writing to you because you are listed as maintainer of the Apache HTTP 2.4 [Sokratis] and JBoss Web Server 5.5 (OpenJDK8) on UBI 8 [sclorg] images. My customer Bosch raised a security issue about Red Hat Container images in the Red Hat Container Catalog [1]. In short, software packages in Red Hat Container images are not updated according CVE recommendations and/or do not contain the required CVE information. Two examples from the customer's SRE team: *Apache HTTP 2.4.x * The CVE-2021-36160 [2] describes that Apache HTTP Server versions 2.4.30 to 2.4.48 are impacted. The current Red Hat Apache HTTP 2.4 image [3] (1-156, latest, 7 day old) contain httpd 2.4.37 and also does not indicate the CVE-2021-36160 *JBoss Web Server 5.5 (OpenJDK8) on UBI 8* The CVE-2021-29425 [4] describes that Apache Commons IO before 2.7 are impacted. The current JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image [5] (1.0-51627017160 latest, 2 month old) still contains Apache-commons-io 2.6 also does not indicate the CVE-2021-29425. The customer's SRE team must respond to the Bosch CERT Advisory and is requesting the following information: 1. In both examples, are the CVE not fixed yet? 2. CVE-2021-36160 is moderate [6], but the Red Hat Container Catalog does not show any information. Is there any reason? 3. CVE-2021-29425 seems to be fixed for Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 but not for the JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image, but the Red Hat Container Catalog does not show any information. Is there any reason? Please let me also when I misinterpreted the CVE data on the Red Hat Container Catalog. Thank you, Stefan [1] https://catalog.redhat.com/software/containers/search [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160 [3] https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425 [5] https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security [6] https://access.redhat.com/security/cve/CVE-2021-36160 -------------- next part -------------- An HTML attachment was scrubbed... URL: