fix(horizon): fix cves in image
diff --git a/images/base/Earthfile b/images/base/Earthfile
index 89449e0..8d3c3b4 100644
--- a/images/base/Earthfile
+++ b/images/base/Earthfile
@@ -1,5 +1,9 @@
VERSION 0.7
image:
- FROM ubuntu:jammy
+ FROM ubuntu:jammy-20240111
LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere
+ # TODO(mnaser): Remove this when a new image that includes 1.4.0-11ubuntu2.4 is released.
+ # https://avd.aquasec.com/nvd/cve-2024-22365
+ DO ../+APT_INSTALL \
+ --PACKAGES "libpam0g libpam-modules libpam-modules-bin libpam-runtime"
diff --git a/images/openstack-service/Earthfile b/images/openstack-service/Earthfile
index dce33cb..11fb292 100644
--- a/images/openstack-service/Earthfile
+++ b/images/openstack-service/Earthfile
@@ -43,6 +43,11 @@
END
GIT CLONE --branch ${BRANCH} https://github.com/openstack/requirements /src
RUN \
+ sed -i 's/cryptography===40.0.2/cryptography===41.0.7/' /src/upper-constraints.txt && \
+ sed -i 's/Django===3.2.18/Django===3.2.23/' /src/upper-constraints.txt && \
+ sed -i 's/pyOpenSSL===23.1.1/pyOpenSSL===23.3.0/' /src/upper-constraints.txt && \
+ sed -i 's/requests===2.28.2/requests===2.31.0/' /src/upper-constraints.txt && \
+ sed -i 's/urllib3===1.26.15/urllib3===1.26.18/' /src/upper-constraints.txt && \
sed -i '/glance-store/d' /src/upper-constraints.txt && \
sed -i '/horizon/d' /src/upper-constraints.txt
SAVE ARTIFACT /src/upper-constraints.txt
@@ -65,7 +70,7 @@
python3-pip \
python3-venv"
RUN --mount type=cache,target=/root/.cache \
- python3 -m venv --upgrade --system-site-packages /var/lib/openstack
+ python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack
COPY \
(+requirements/upper-constraints.txt --RELEASE=${RELEASE}) \
/upper-constraints.txt
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index 5f72712..93ec813 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -68,8 +68,8 @@
heat_engine_cleaner: ghcr.io/vexxhost/atmosphere/heat:2023.2@sha256:1b4c0f4338fbc22828d032b27a0caf4c167a3a3c5c964d9c99efb4a68572e6e3
heat_engine: ghcr.io/vexxhost/atmosphere/heat:2023.2@sha256:1b4c0f4338fbc22828d032b27a0caf4c167a3a3c5c964d9c99efb4a68572e6e3
heat_purge_deleted: ghcr.io/vexxhost/atmosphere/heat:2023.2@sha256:1b4c0f4338fbc22828d032b27a0caf4c167a3a3c5c964d9c99efb4a68572e6e3
- horizon_db_sync: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:4db3ed10fed0204a89f682c8cc0ea28bcd259e2d7537c7e51bcf9db69b1c7a9d
- horizon: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:4db3ed10fed0204a89f682c8cc0ea28bcd259e2d7537c7e51bcf9db69b1c7a9d
+ horizon_db_sync: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:c1b0d1b55a1f0286445e6676123cf02e315bf362578d1169615630908b4d7851
+ horizon: ghcr.io/vexxhost/atmosphere/horizon:2023.2@sha256:c1b0d1b55a1f0286445e6676123cf02e315bf362578d1169615630908b4d7851
ingress_nginx_controller: registry.k8s.io/ingress-nginx/controller:v1.1.1@sha256:e16123f3932f44a2bba8bc3cf1c109cea4495ee271d6d16ab99228b58766d3ab
ingress_nginx_default_backend: registry.k8s.io/defaultbackend-amd64:1.5@sha256:4dc5e07c8ca4e23bddb3153737d7b8c556e5fb2f29c4558b7cd6e6df99c512c7
ingress_nginx_kube_webhook_certgen: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:23a03c9c381fba54043d0f6148efeaf4c1ca2ed176e43455178b5c5ebf15ad70 # noqa: yaml[line-length]