From e2d1d379d53e86243e5922b0ae62ed9d0a13a17e Mon Sep 17 00:00:00 2001
From: Christopher Desiniotis <cdesiniotis@nvidia.com>
Date: Wed, 16 Mar 2022 17:41:21 +0000
Subject: [PATCH] Update libsasl in both ubuntu/ubi toolkit images to address
 CVE-2022-24407

---
 .common-ci.yml                    | 5 ++++-
 build/container/Dockerfile.ubuntu | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.common-ci.yml b/.common-ci.yml
index de6e9863..157da324 100644
--- a/.common-ci.yml
+++ b/.common-ci.yml
@@ -42,11 +42,12 @@ stages:
 .dist-centos7:
   variables:
     DIST: centos7
-    CVE_UPDATES: "nss"
+    CVE_UPDATES: "cyrus-sasl-lib"
 
 .dist-centos8:
   variables:
     DIST: centos8
+    CVE_UPDATES: "cyrus-sasl-lib"
 
 .dist-debian10:
   variables:
@@ -63,6 +64,7 @@ stages:
 .dist-ubi8:
   variables:
     DIST: ubi8
+    CVE_UPDATES: "cyrus-sasl-lib"
 
 .dist-ubuntu16.04:
   variables:
@@ -71,6 +73,7 @@ stages:
 .dist-ubuntu18.04:
   variables:
     DIST: ubuntu18.04
+    CVE_UPDATES: "libsasl2-2 libsasl2-modules-db"
 
 .dist-packaging:
   variables:
diff --git a/build/container/Dockerfile.ubuntu b/build/container/Dockerfile.ubuntu
index b912d740..e262568d 100644
--- a/build/container/Dockerfile.ubuntu
+++ b/build/container/Dockerfile.ubuntu
@@ -92,4 +92,11 @@ LABEL description="See summary"
 
 COPY ./LICENSE /licenses/LICENSE
 
+# Install / upgrade packages here that are required to resolve CVEs
+ARG CVE_UPDATES
+RUN if [ -n "${CVE_UPDATES}" ]; then \
+        apt-get update && apt-get upgrade -y ${CVE_UPDATES} && \
+        rm -rf /var/lib/apt/lists/*; \
+    fi
+
 ENTRYPOINT ["/work/nvidia-toolkit"]