Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security upgrade to Matomo 3.8.0 #5345

Merged
merged 2 commits into from
Jan 28, 2019
Merged

Security upgrade to Matomo 3.8.0 #5345

merged 2 commits into from
Jan 28, 2019

Conversation

J0WI
Copy link
Contributor

@J0WI J0WI commented Jan 26, 2019

This was not included in #5344, so I'm pushing this here.
https://matomo.org/changelog/matomo-3-8-0/

@J0WI J0WI mentioned this pull request Jan 26, 2019
Closed
@J0WI
Copy link
Contributor Author

J0WI commented Jan 28, 2019

Meanwhile 3.8.1 is released, fixing a regression in 3.8.0.

@J0WI J0WI mentioned this pull request Jan 28, 2019
Closed
@yosifkit
Copy link
Member

Diff: 
diff --git a/_bashbrew-arches b/_bashbrew-arches
index a17f7d6..f1fbd6b 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -4,17 +4,14 @@ matomo:fpm @ arm32v7
 matomo:fpm @ arm64v8
 matomo:fpm @ i386
 matomo:fpm @ ppc64le
-matomo:fpm @ s390x
 matomo:fpm-alpine @ amd64
 matomo:fpm-alpine @ arm32v6
 matomo:fpm-alpine @ arm64v8
 matomo:fpm-alpine @ i386
 matomo:fpm-alpine @ ppc64le
-matomo:fpm-alpine @ s390x
 matomo:latest @ amd64
 matomo:latest @ arm32v5
 matomo:latest @ arm32v7
 matomo:latest @ arm64v8
 matomo:latest @ i386
 matomo:latest @ ppc64le
-matomo:latest @ s390x
diff --git a/_bashbrew-list b/_bashbrew-list
index b721b35..c4aa00f 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -2,14 +2,14 @@ matomo:3
 matomo:3-apache
 matomo:3-fpm
 matomo:3-fpm-alpine
-matomo:3.7
-matomo:3.7-apache
-matomo:3.7-fpm
-matomo:3.7-fpm-alpine
-matomo:3.7.0
-matomo:3.7.0-apache
-matomo:3.7.0-fpm
-matomo:3.7.0-fpm-alpine
+matomo:3.8
+matomo:3.8-apache
+matomo:3.8-fpm
+matomo:3.8-fpm-alpine
+matomo:3.8.1
+matomo:3.8.1-apache
+matomo:3.8.1-fpm
+matomo:3.8.1-fpm-alpine
 matomo:apache
 matomo:fpm
 matomo:fpm-alpine
diff --git a/matomo_fpm-alpine/Dockerfile b/matomo_fpm-alpine/Dockerfile
index b583414..717317e 100644
--- a/matomo_fpm-alpine/Dockerfile
+++ b/matomo_fpm-alpine/Dockerfile
@@ -1,4 +1,4 @@
-FROM php:7.1-fpm-alpine
+FROM php:7.2-fpm-alpine
 
 LABEL maintainer="pierre@piwik.org"
 
@@ -8,7 +8,6 @@ RUN set -ex; \
 		$PHPIZE_DEPS \
 		autoconf \
 		freetype-dev \
-		geoip-dev \
 		icu-dev \
 		libjpeg-turbo-dev \
 		libpng-dev \
@@ -28,13 +27,11 @@ RUN set -ex; \
 	; \
 	\
 # pecl will claim success even if one install fails, so we need to perform each install separately
-	pecl install APCu-5.1.15; \
-	pecl install geoip-1.1.1; \
+	pecl install APCu-5.1.16; \
 	pecl install redis-3.1.6; \
 	\
 	docker-php-ext-enable \
 		apcu \
-		geoip \
 		redis \
 	; \
 	\
@@ -47,7 +44,7 @@ RUN set -ex; \
 	apk add --virtual .piwik-phpext-rundeps $runDeps; \
 	apk del .build-deps
 
-ENV MATOMO_VERSION 3.7.0
+ENV MATOMO_VERSION 3.8.1
 
 RUN set -ex; \
 	apk add --no-cache --virtual .fetch-deps \
@@ -70,8 +67,15 @@ RUN set -ex; \
 COPY php.ini /usr/local/etc/php/conf.d/php-piwik.ini
 
 RUN set -ex; \
-	curl -fsSL -o /usr/src/piwik/misc/GeoIPCity.dat.gz https://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz; \
-	gunzip /usr/src/piwik/misc/GeoIPCity.dat.gz
+	curl -fsSL -o GeoIPCity.tar.gz \
+		"https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz"; \
+	curl -fsSL -o GeoIPCity.tar.gz.md5 \
+		"https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz.md5"; \
+	echo "$(cat GeoIPCity.tar.gz.md5)  GeoIPCity.tar.gz" | md5sum -c -; \
+	mkdir /usr/src/GeoIPCity; \
+	tar -xf GeoIPCity.tar.gz -C /usr/src/GeoIPCity --strip-components=1; \
+	mv /usr/src/GeoIPCity/GeoLite2-City.mmdb /usr/src/piwik/misc/GeoLite2-City.mmdb; \
+	rm -rf GeoIPCity*
 
 COPY docker-entrypoint.sh /entrypoint.sh
 
diff --git a/matomo_fpm/Dockerfile b/matomo_fpm/Dockerfile
index 948094b..cbce29f 100644
--- a/matomo_fpm/Dockerfile
+++ b/matomo_fpm/Dockerfile
@@ -1,4 +1,4 @@
-FROM php:7.1-fpm
+FROM php:7.2-fpm
 
 LABEL maintainer="pierre@piwik.org"
 
@@ -9,7 +9,6 @@ RUN set -ex; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
 		libfreetype6-dev \
-		libgeoip-dev \
 		libjpeg-dev \
 		libldap2-dev \
 		libpng-dev \
@@ -28,13 +27,11 @@ RUN set -ex; \
 	; \
 	\
 # pecl will claim success even if one install fails, so we need to perform each install separately
-	pecl install APCu-5.1.15; \
-	pecl install geoip-1.1.1; \
+	pecl install APCu-5.1.16; \
 	pecl install redis-3.1.6; \
 	\
 	docker-php-ext-enable \
 		apcu \
-		geoip \
 		redis \
 	; \
 	\
@@ -52,7 +49,7 @@ RUN set -ex; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*
 
-ENV MATOMO_VERSION 3.7.0
+ENV MATOMO_VERSION 3.8.1
 
 RUN set -ex; \
 	fetchDeps=" \
@@ -81,8 +78,15 @@ RUN set -ex; \
 COPY php.ini /usr/local/etc/php/conf.d/php-piwik.ini
 
 RUN set -ex; \
-	curl -fsSL -o /usr/src/piwik/misc/GeoIPCity.dat.gz https://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz; \
-	gunzip /usr/src/piwik/misc/GeoIPCity.dat.gz
+	curl -fsSL -o GeoIPCity.tar.gz \
+		"https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz"; \
+	curl -fsSL -o GeoIPCity.tar.gz.md5 \
+		"https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz.md5"; \
+	echo "$(cat GeoIPCity.tar.gz.md5)  GeoIPCity.tar.gz" | md5sum -c -; \
+	mkdir /usr/src/GeoIPCity; \
+	tar -xf GeoIPCity.tar.gz -C /usr/src/GeoIPCity --strip-components=1; \
+	mv /usr/src/GeoIPCity/GeoLite2-City.mmdb /usr/src/piwik/misc/GeoLite2-City.mmdb; \
+	rm -rf GeoIPCity*
 
 COPY docker-entrypoint.sh /entrypoint.sh
 
diff --git a/matomo_latest/Dockerfile b/matomo_latest/Dockerfile
index 4c675bc..7e504c3 100644
--- a/matomo_latest/Dockerfile
+++ b/matomo_latest/Dockerfile
@@ -1,4 +1,4 @@
-FROM php:7.1-apache
+FROM php:7.2-apache
 
 LABEL maintainer="pierre@piwik.org"
 
@@ -9,7 +9,6 @@ RUN set -ex; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
 		libfreetype6-dev \
-		libgeoip-dev \
 		libjpeg-dev \
 		libldap2-dev \
 		libpng-dev \
@@ -28,13 +27,11 @@ RUN set -ex; \
 	; \
 	\
 # pecl will claim success even if one install fails, so we need to perform each install separately
-	pecl install APCu-5.1.15; \
-	pecl install geoip-1.1.1; \
+	pecl install APCu-5.1.16; \
 	pecl install redis-3.1.6; \
 	\
 	docker-php-ext-enable \
 		apcu \
-		geoip \
 		redis \
 	; \
 	\
@@ -52,7 +49,7 @@ RUN set -ex; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*
 
-ENV MATOMO_VERSION 3.7.0
+ENV MATOMO_VERSION 3.8.1
 
 RUN set -ex; \
 	fetchDeps=" \
@@ -81,8 +78,15 @@ RUN set -ex; \
 COPY php.ini /usr/local/etc/php/conf.d/php-piwik.ini
 
 RUN set -ex; \
-	curl -fsSL -o /usr/src/piwik/misc/GeoIPCity.dat.gz https://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz; \
-	gunzip /usr/src/piwik/misc/GeoIPCity.dat.gz
+	curl -fsSL -o GeoIPCity.tar.gz \
+		"https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz"; \
+	curl -fsSL -o GeoIPCity.tar.gz.md5 \
+		"https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz.md5"; \
+	echo "$(cat GeoIPCity.tar.gz.md5)  GeoIPCity.tar.gz" | md5sum -c -; \
+	mkdir /usr/src/GeoIPCity; \
+	tar -xf GeoIPCity.tar.gz -C /usr/src/GeoIPCity --strip-components=1; \
+	mv /usr/src/GeoIPCity/GeoLite2-City.mmdb /usr/src/piwik/misc/GeoLite2-City.mmdb; \
+	rm -rf GeoIPCity*
 
 COPY docker-entrypoint.sh /entrypoint.sh

@yosifkit
Copy link
Member

Build test of #5345; 51d5df7; amd64 (matomo):

$ bashbrew build matomo:3.8.1-apache
Building bashbrew/cache:ee3b01c818e145fcdfdddf56dfbf8ab7b5b4563af10141c9b77be42fcaeaf259 (matomo:3.8.1-apache)
Tagging matomo:3.8.1-apache
Tagging matomo:3.8-apache
Tagging matomo:3-apache
Tagging matomo:apache
Tagging matomo:3.8.1
Tagging matomo:3.8
Tagging matomo:3
Tagging matomo:latest

$ test/run.sh matomo:3.8.1-apache
testing matomo:3.8.1-apache
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build matomo:3.8.1-fpm
Building bashbrew/cache:4e31b06d63a90dfe6844b9f8a22fafd6eeedf3c8ed31e3c2c2179a168d507c3b (matomo:3.8.1-fpm)
Tagging matomo:3.8.1-fpm
Tagging matomo:3.8-fpm
Tagging matomo:3-fpm
Tagging matomo:fpm

$ test/run.sh matomo:3.8.1-fpm
testing matomo:3.8.1-fpm
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build matomo:3.8.1-fpm-alpine
Building bashbrew/cache:a6140763cdf2f410c63c4a52bbb35ab4b02315d8b04a3c13f0c7605682407fad (matomo:3.8.1-fpm-alpine)
Tagging matomo:3.8.1-fpm-alpine
Tagging matomo:3.8-fpm-alpine
Tagging matomo:3-fpm-alpine
Tagging matomo:fpm-alpine

$ test/run.sh matomo:3.8.1-fpm-alpine
testing matomo:3.8.1-fpm-alpine
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed

@yosifkit yosifkit merged commit aafdac5 into docker-library:master Jan 28, 2019
@J0WI J0WI deleted the matomo branch January 28, 2019 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
library/matomo
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@J0WI @yosifkit @docker-library-bot