lagoon-images 22.4.1

Security release

This release addresses CVE-2022-24828 in composer - updating the versions of composer included in the base images to 1.10.26 and 2.2.12 (2.3.5 is still under consideration for inclusion, but is available to users via the --self-update flag to composer)

Notes about this release

There were some 22.5.0 images inadvertently tagged to dockerhub - these tags have now been replaced with 22.4.1 - they are the same content - the :latest tag still points to 22.4.1

Changes in this release

• feat: give php-fpm workers 30s to gracefully exit @smlx (#445)
• update composer 1 and New Relic versions @tobybellwood (#448)

Package Updates

• Update dependency php to v8.1.5 (main) @renovate (#451)
• Update dependency php to v8.0.18 (main) @renovate (#450)
• Update dependency php to v7.4.29 (main) @renovate (#449)
• Update dependency rabbitmq to v3.8.29 (main) @renovate (#447)
• Update dependency composer to v2.2.12 (main) @renovate (#446)

Full Changelog: 22.4.0...22.4.1

lagoon-images 22.4.0

The upstream Alpine releases in this release cover a number of vulnerabilities:

• Alpine 3.15.4, 3.14.6, 3.12.12 for busybox CVE-2022-28391
• Alpine 3.15.3, 3.14.5, 3.12.11 for zlib CVE-2018-25032

As of this release all supported (non-EOL) Alpine-based images are at their most recent versions (3.15.4 and 3.14.6/3.12.12 for those images pinned there)

Changes in this release

• Invoke chmod once per directory to fix permissions @christopher-hopper (#420)

Package Updates

• Update dependency alpine to v3.15.4 (main) @renovate (#442)
• Update dependency alpine to v3.15.3 (main) @renovate (#435)
• Update dependency alpine to v3.14.6 (main) @renovate (#441)
• Update dependency alpine to v3.14.5 (main) @renovate (#434)
• Update dependency alpine to v3.12.12 (main) @renovate (#440)
• Update dependency alpine to v3.12.11 (main) @renovate (#433)
• Update dependency openresty/openresty to v1.19.9.1-10-alpine-apk (main) @renovate (#443)
• Update dependency composer to v2.2.11 (main) @renovate (#436)
• Update dependency xdebug/xdebug to v3.1.4 (main) @renovate (#439)

New Contributors

• @christopher-hopper made their first contribution in #420

Full Changelog: 22.3.0...22.4.0

lagoon-images 22.3.0

Changes in this release

PHP-based images

• The XDEBUG settings for php have been updated to support XDebug 3 natively. Xdebug was always the default in PHP8.0 and PHP8.1, but owing to cross-configuration with PHP7.4, the necessary settings weren't configured properly. In this release, the PHP7.4 bundled version of the XDebug library has been updated to version 3 with the correct settings present.

• The New Relic and Blackfire agents have been updated and added to the PHP8.1 images.

• In addition, the build process has been optimised for the php-based images, and the resultant images are now almost 60% smaller than before.

Alpine Security fixes

This release also brings a raft of Alpine security updates:

• 3.15.1, 3.14.4, and 3.12.10 to fix openssl for CVE-2022-0778
• 3.15.2 to fix libretls for CVE-2022-0778

All current Alpine-based images are running the latest version of Alpine ( 3.15.2, 3.14.4, 3.12.10).
We are considering how best to continue to support the images built on previous, unsupported versions of Alpine (solr-7.7, mongo, varnish-5)

Other changes

• update helper tools @tobybellwood (#432)
• Pin to versioned OpenResty package image @tobybellwood (#431)
• Lightweight images @smlx (#426)
• Add support for configurable wait_timeout @shreddedbacon (#413)
• Xdebug 3 @kasperg (#353)

New Images

Package Updates

• Update dependency alpine to v3.15.2 (main) @renovate (#428)
• Update dependency alpine to v3.15.1 (main) @renovate (#421)
• Update dependency alpine to v3.14.4 (main) @renovate (#423)
• Update dependency alpine to v3.12.10 (main) @renovate (#422)
• Update dependency php to v8.1.4 (main) @renovate (#425)
• Update dependency php to v8.0.17 (main) @renovate (#424)
• Update dependency python to v3.10.4 (main) @renovate (#429)
• Update dependency python to v3.10.3 (main) @renovate (#416)
• Update dependency python to v3.9.12 (main) @renovate (#430)
• Update dependency python to v3.9.11 (main) @renovate (#419)
• Update dependency python to v3.8.13 (main) @renovate (#418)
• Update dependency python to v3.7.13 (main) @renovate (#417)
• Update dependency composer to v2.2.9 (main) @renovate (#414)
• Update dependency composer to v2.2.7 (main) @renovate (#411)
• Update dependency rabbitmq to v3.8.28 (main) @renovate (#427)

New Contributors

• @kasperg made their first contribution in #353
• @shreddedbacon made their first contribution in #413

Full Changelog: 22.2.0...22.3.0

lagoon-images 22.2.0 (Alpine 3.15 and version updates)

New Images

In this release, all images have been updated to Alpine 3.15 (release notes at https://alpinelinux.org/posts/Alpine-3.15.0-released.html)

In addition, we have also filled out the versions available for some of our images

• Postgres is now available in versions 11,12,13,14 - with -drupal variants
• Solr 8 is now available
• Python is now available in versions 3.7,3.8,3.9,3.10 - mirroring officially supported versions
• MariaDB is now available in versions 10.4,10.5,10.6 - with -drupal variants

In addition, we have broadened some of the test suites to provide better coverage, and streamlined some build steps to improve performance.

This release also includes the image updates required to address CVE-2021-21708 in PHP images.

Notes from the field

This Alpine release updated the openssh client libraries to version 8.8, which has deprecated support for RSA/SHA-1 keys (because they're bad!). If you use SSH from within your docker image, you should create a more cryptographically secure key. Details at https://www.openssh.com/releasenotes.html

Changes in this release

• update existing images to alpine 3.15 by @tobybellwood in #405
• Utilise buildkit cache-from to improve build times by @tobybellwood in #393
• re-enable quiet mode in makefile by @tobybellwood in #396
• fix upsteam yum cache for elasticsearch-7 image by @tobybellwood in #397
• add specific PHP 7.4 and PHP 8.1 tests by @tobybellwood in #398

Package Updates

• Update Node.js to v16.14 (main) by @renovate in #400
• Update Node.js to v14.19 (main) by @renovate in #395
• Update dependency postgres to v14.2 (main) by @renovate in #408
• Update dependency postgres to v13.6 (main) by @renovate in #407
• Update dependency postgres to v12.10 (main) by @renovate in #403
• Update dependency postgres to v11.15 (main) by @renovate in #402
• Update dependency php to v8.1.3 (main) by @renovate in #410
• Update php Docker tag to v8.1.2 (main) by @renovate in #392
• Update dependency php to v8.0.16 (main) by @renovate in #409
• Update php Docker tag to v8.0.15 (main) by @renovate in #391
• Update dependency php to v7.4.28 (main) by @renovate in #406
• Update composer Docker tag to v2.2.6 (main) by @renovate in #399
• Update dependency phpredis/phpredis to v5.3.7 (main) by @renovate in #404
• Update dependency xdebug/xdebug to v3.1.3 (main) by @renovate in #394

Full Changelog: 22.1.0...22.2.0

lagoon-images 22.1.0

Changes in this release

• use official openresty package image instead of source image @tobybellwood (#338)
• update ELK log4j versions for new images @tobybellwood (#383)
• fixup jenkinsfile tests for upstream lagoon-example repo changes @tobybellwood (#376)
• update PHP agents and apps @tobybellwood (#378)
  • NewRelic PHP Agent to 9.18.1.303
  • Blackfire Agent to 2.5.2
  • Composer 1.x to 1.10.24
  • Drush 8.x to 8.4.10
  • Drush Launcher to 0.9.3

Package Updates

• Update composer Docker tag to v2.2.5 (main) @renovate (#390)
• Update composer Docker tag to v2.2.4 (main) @renovate (#372)
• Update dependency Imagick/imagick to v3.7.0 (main) @renovate (#380)
• Update dependency phpredis/phpredis to v5.3.6 (main) @renovate (#382)
• Update python Docker tag to v3.9.10 (main) @renovate (#384)
• Update ELK Stack Docker tags to v7.10.2 (main) (minor) @renovate (#180)
• Update ELK Stack Docker tags to v6.8.23 (main) (patch) @renovate (#381)
• Update rabbitmq Docker tag to v3.8.27 (main) @renovate (#377)

Full Changelog: 21.12.2...22.1.0

lagoon-images 21.12.2

Changes in this release

This release includes a couple of updates to Elasticsearch 6 and Solr 8, to implement the vendor's upstream mitigations (the upgrade of the log4j-core package in use).

What's Changed

• Update Solr Docker tag to v8.11.1 (main) by @renovate in #351
• Update ELK Stack Docker tags to v6.8.22 (main) (patch) by @renovate in #371

Package Updates

• Update php Docker tag to v7.4.27 (main) by @renovate in #367
• Update php Docker tag to v8.0.14 (main) by @renovate in #368
• Update php Docker tag to v8.1.1 (main) by @renovate in #369
• Update dependency phpredis/phpredis to v5.3.5 (main) by @renovate in #370

Full Changelog: 21.12.1...21.12.2

lagoon-images 21.12.1

Security Release

This release actions the most recent guidance on the log4j vulnerabilities at https://logging.apache.org/log4j/2.x/security.html

To comply with the advised mitigation, all instances of the log4j-core.jar files have been examined, and the JndiLookup.class removed

This applies the following images:

• uselagoon/logstash-6
• uselagoon/logstash-7
• uselagoon/elasticsearch-6
• uselagoon/elasticsearch-7
• uselagoon/solr7.7
• uselagoon/solr7.7-drupal
• uselagoon/solr7
• uselagoon/solr7-drupal
• uselagoon/solr8
• uselagoon/solr8-drupal

We will continue to monitor CVE-2021-45046 and CVE-2021-44228

Changes in this release

• remove the JndiLookup class from the classpaths for CVE-2021-45046 and CVE-2021-44228 @tobybellwood (#365)

Package Updates

• Update ELK Stack Docker tags to v6.8.21 (main) (patch) @renovate (#362)

lagoon-images 21.12.0

Security Advisories

This image release has been made to mitigate CVE-2021-44228, which covers Apache-log4j2

The mitigation included in all images that use Java (Solr, Elasticsearch and Logstash) is to add additional system properties to the JVM startup log4j2.formatMsgNoLookups=true

If you inherit these images and set additional system properties via SOLR_OPTS, LS_JAVA_OPTS, or ES_JAVA_OPTS, please make sure to either include the additional mitigation above, or via the environment variables defined in the log4j notice.

For users of the (now deprecated for a few months) Solr 5 and Solr 6 images - there are no know mitigations, and there are unlikely to be. Please update your sites to Solr 7 ASAP.

New Images

• PHP 8.1 has been added to the scheduled releases, including Composer 2 support as standard
• Solr 8 has been released as an "experimental" image - pending further testing. The upgrade path from Solr 7 to Solr 8 will require testing before rolling to production, and there are additional steps required to configure custom Solr configurations.

Deprecated Images

• PHP 7.3 is now no longer supported and the images will no longer be updated. Existing images will remain available for use on docker hub, but no updates will be made to them. You should update to PHP 8.0/8.1 ASAP (7.4 will be EOL in 2022)

Changes in this release

• Adding SOLR_OPTS, LS_JAVA_OPTS, and ES_JAVA_OPTS to patch against CVE-2021-44228 @cdchris12 (#358)
• Adds PHP 8.1, removes PHP 7.3 @tobybellwood (#352)
• change to "varnish" user as per upstream for varnish-6 @tobybellwood (#354)
• Add Experimental Solr 8 images @tobybellwood (#97)

Package Updates

• Update composer Docker tag to v2.1.14 (main) @renovate (#356 #359)
• Update dependency xdebug/xdebug to v3.1.2 (main) @renovate (#355 #360)
• Update solr Docker tag to v8.10.1 (main) @renovate (#350)

Full Changelog: 21.11.1...21.12.0

lagoon-images 21.11.1

This release addresses the vulnerabilities addressed in https://www.alpinelinux.org/posts/Alpine-3.14.3-released.html

All images are now on Alpine 3.14.3 (with the exception of those that are unable to be pinned to a newer release of Alpine, or are Debian-based)

Changes in this release

• Add complete scanning routine to tag builds @tobybellwood (#348)
• Elasticsearch 6 setting Default Memory values to the same as Elasticsearch 7 @dasrecht (#342)

Package Updates

• Update alpine Docker tag to v3.14.3 (main) by @renovate in #337
• Update alpine Docker tag to v3.12.9 (main) by @renovate in #336
• Update php Docker tag to v7.3.33 (main) by @renovate in #344
• Update php Docker tag to v7.4.26 (main) by @renovate in #345
• Update php Docker tag to v8.0.13 (main) by @renovate in #347
• Update postgres Docker tag to v12.9 (main) by @renovate in #335
• Update postgres Docker tag to v11.14 (main) by @renovate in #334
• Update python Docker tag to v3.9.9 (main) by @renovate in #341
• Update rabbitmq Docker tag to v3.8.25 (main) by @renovate in #332
• Update rabbitmq Docker tag to v3.8.26 (main) by @renovate in #346

Full Changelog: 21.11.0...21.11.1

lagoon-images 21.11.0

New Images

Changes in this release

• Removing the toolbox container @dasrecht (#329)

Package Updates

• Update composer Docker tag to v2.1.12 (main) @renovate (#331)
• Update python Docker tag to v3.9.8 (main) @renovate (#330)
• Update composer Docker tag to v2.1.11 (main) @renovate (#327)
• Update php Docker tag to v7.3.32 (main) @renovate (#326)
• Update rabbitmq Docker tag to v3.8.23 (main) @renovate (#314)
• Update redis Docker tag to v6.2.6 (main) @renovate (#318)
• Update redis Docker tag to v5.0.14 (main) @renovate (#317)
• Update Node.js to v16.13 (main) @renovate (#306)
• Update Node.js to v14.18 (main) @renovate (#315)
• Update composer Docker tag to v2.1.9 (main) @renovate (#307)
• Update dependency php/pecl-file_formats-yaml to v2.2.2 (main) @renovate (#324)
• Update dependency xdebug/xdebug to v3.1.1 (main) @renovate (#316)
• Update dependency krakjoe/apcu to v5.1.21 (main) @renovate (#319)
• Update php Docker tag to v7.4.25 (main) @renovate (#313)
• Update php Docker tag to v8.0.12 (main) @renovate (#312)
• Update php Docker tag to v7.3.31 (main) @renovate (#311)

Full Changelog: 21.10.0...21.11.0