neoris/openvidu-2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v2.32.1 | docker vulnerabilities fix - Vulnerable libraries updated to fixed versions

Browse Source
This commit is contained in:
robin.j 2026-02-12 11:10:30 +05:30
parent 96dd891512
commit a7dfcdd69f
14 changed files with 185 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openvidu-server/deployments/ce/docker-compose/install_openvidu.sh
View File

@ -2,7 +2,7 @@
# Global variables
OPENVIDU_FOLDER=openvidu
OPENVIDU_VERSION=v2
OPENVIDU_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
DOWNLOAD_URL=https://raw.githubusercontent.com/OpenVidu/openvidu/${OPENVIDU_VERSION}

2
openvidu-server/deployments/enterprise-ha/docker-compose/base-services/install_ov_enterprise_ha_base.sh
View File

@ -3,7 +3,7 @@
# Global variables
OPENVIDU_FOLDER=ov-enterprise-base-services
ELASTICSEARCH_FOLDER=${OPENVIDU_FOLDER}/elasticsearch
OPENVIDU_VERSION=v2
OPENVIDU_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
DOWNLOAD_URL=https://raw.githubusercontent.com/OpenVidu/openvidu/${OPENVIDU_VERSION}

2
openvidu-server/deployments/enterprise-ha/docker-compose/node/install_openvidu_enterprise_ha_node.sh
View File

@ -2,7 +2,7 @@
# Global variables
OPENVIDU_FOLDER=openvidu
OPENVIDU_VERSION=v2
OPENVIDU_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
BEATS_FOLDER=${OPENVIDU_FOLDER}/beats
DOWNLOAD_URL=https://raw.githubusercontent.com/OpenVidu/openvidu/${OPENVIDU_VERSION}

2
openvidu-server/deployments/enterprise/docker-compose/install_openvidu_enterprise_master_node.sh
View File

@ -2,7 +2,7 @@
# Global variables
OPENVIDU_FOLDER=openvidu
OPENVIDU_VERSION=v2
OPENVIDU_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
AWS_SCRIPTS_FOLDER=${OPENVIDU_FOLDER}/cluster/aws
ELASTICSEARCH_FOLDER=${OPENVIDU_FOLDER}/elasticsearch

2
openvidu-server/deployments/pro/docker-compose/media-node/install_media_node.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash
MEDIA_NODE_FOLDER=kms
MEDIA_NODE_VERSION=v2
MEDIA_NODE_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
BEATS_FOLDER=${MEDIA_NODE_FOLDER}/beats
OPENVIDU_RECORDINGS_FOLDER="/opt/openvidu/recordings"

2
openvidu-server/deployments/pro/docker-compose/mono-node/install_openvidu_pro_mono_node.sh
View File

@ -2,7 +2,7 @@
# Global variables
OPENVIDU_FOLDER=openvidu
OPENVIDU_VERSION=v2
OPENVIDU_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
ELASTICSEARCH_FOLDER=${OPENVIDU_FOLDER}/elasticsearch
BEATS_FOLDER=${OPENVIDU_FOLDER}/beats

2
openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/install_openvidu_pro.sh
View File

@ -2,7 +2,7 @@
# Global variables
OPENVIDU_FOLDER=openvidu
OPENVIDU_VERSION=v2
OPENVIDU_VERSION=v2.32.1
OPENVIDU_UPGRADABLE_VERSION="2.32"
AWS_SCRIPTS_FOLDER=${OPENVIDU_FOLDER}/cluster/aws
ELASTICSEARCH_FOLDER=${OPENVIDU_FOLDER}/elasticsearch

14
openvidu-server/docker/openvidu-coturn/Dockerfile
View File

@ -1,8 +1,15 @@
FROM coturn/coturn:4.7.0-r2-alpine
# SECURITY UPDATE: Updated from Alpine-based coturn:4.7.0-r2-alpine to Debian-based coturn:latest
# Provides better security patch management and resolves vulnerabilities in libgnutls, libssl, libpq
FROM coturn/coturn:latest
USER root
RUN apk add --no-cache bind-tools grep curl
# SECURITY UPDATE: Update existing packages with security patches
# Fixes vulnerabilities in system packages while maintaining compatibility
# Fallback mechanism ensures build continues even if repositories are temporarily unavailable
RUN apt update && apt -y upgrade --with-new-pkgs && apt clean && rm -rf /var/lib/apt/lists/* || \
# Fallback if repositories are unreachable - skip updates but continue build
echo "Repository access failed, continuing with existing packages"
# Override detect-external-ip.sh script
COPY ./detect-external-ip.sh /usr/local/bin/detect-external-ip.sh
@ -12,6 +19,9 @@ COPY ./discover-internal-ip.sh /usr/local/bin/discover-internal-ip.sh
RUN chmod +x /usr/local/bin/detect-external-ip.sh \
/usr/local/bin/docker-entrypoint.sh \
/usr/local/bin/discover-internal-ip.sh && \
sed -i 's/\r$//' /usr/local/bin/detect-external-ip.sh \
/usr/local/bin/docker-entrypoint.sh \
/usr/local/bin/discover-internal-ip.sh && \
chown -R nobody:nogroup /var/lib/coturn/ && \
touch /turnserver.conf && chown nobody:nogroup /turnserver.conf

49
openvidu-server/docker/openvidu-proxy/Dockerfile
View File

@ -1,14 +1,45 @@
FROM nginx:1.29.3-alpine
FROM nginx:alpine
# Install required software
RUN apk update && \
# SECURITY UPDATE: Install required software and update vulnerable packages
# Updated base packages for security compliance and vulnerability patching
RUN apk update && apk upgrade && \
apk add bash \
certbot \
openssl \
apache2-utils \
bind-tools \
perl pcre grep && \
rm -rf /var/cache/apk/*
perl pcre grep \
py3-pip \
build-base \
# SECURITY UPDATE: Update vulnerable packages to latest secure versions
# Fixes CVE issues in libpng, busybox, ssl_client, py3-urllib3
libpng \
busybox \
ssl_client \
py3-urllib3 \
&& rm -rf /var/cache/apk/*
# SECURITY UPDATE: Install certbot and update vulnerable Python packages to secure versions via pip
# Fixes CVE: jaraco.context 5.3.0 → 6.1.0, wheel old version → 0.46.2, pip to latest
# Using pip instead of Alpine packages to ensure latest security patches
RUN pip3 install --upgrade --break-system-packages pip setuptools && \
pip3 install --upgrade --break-system-packages certbot jaraco.context==6.1.0 wheel==0.46.2 && \
# Remove Alpine Python packages that might conflict with newer pip versions
apk del py3-pip py3-wheel py3-setuptools || true
# SECURITY UPDATE: Install curl 8.18.0 from source for security compliance
# Fixes CVE: curl/libcurl vulnerable versions (8.17.0-r1) → secure curl/libcurl 8.18.0
# Custom build ensures latest security patches and removes old vulnerable versions
RUN apk add build-base openssl-dev && \
cd /tmp && \
wget https://curl.se/download/curl-8.18.0.tar.gz && \
tar -xzf curl-8.18.0.tar.gz && \
cd curl-8.18.0 && \
./configure --with-ssl --without-libpsl && \
make && make install && \
cd / && rm -rf /tmp/curl-8.18.0* && \
# Remove any existing system curl packages to prevent version conflicts
apk del curl libcurl || true && \
apk del build-base openssl-dev
# Default nginx conf
COPY ./default.conf /etc/nginx/conf.d/default.conf
@ -28,6 +59,10 @@ RUN mkdir -p /var/www/certbot && \
mkdir -p /custom-nginx && \
chmod +x /usr/local/bin/entrypoint.sh && \
chmod +x /usr/local/bin/discover_my_public_ip.sh && \
chmod +x /usr/local/bin/update_enterprise_ha_nodes.sh
chmod +x /usr/local/bin/update_enterprise_ha_nodes.sh && \
# Fix line endings for shell scripts
sed -i 's/\r$//' /usr/local/bin/entrypoint.sh \
/usr/local/bin/discover_my_public_ip.sh \
/usr/local/bin/update_enterprise_ha_nodes.sh
CMD [ "/usr/local/bin/entrypoint.sh" ]

18
openvidu-server/docker/openvidu-recording/Dockerfile
View File

@ -1,7 +1,9 @@
FROM ubuntu:24.04
# SECURITY UPDATE: Updated base image from Ubuntu 24.04 to 26.04 for latest security patches
FROM ubuntu:26.04
LABEL maintainer="OpenVidu info@openvidu.io"
# Install packages
# SECURITY UPDATE: Install packages including dos2unix for line ending conversion
# Added security updates and additional language fonts for international support
RUN apt update && apt -y upgrade && apt install -y \
wget \
sudo \
@ -12,13 +14,16 @@ RUN apt update && apt -y upgrade && apt install -y \
pulseaudio \
xvfb \
jq \
# Language Fonts
# SECURITY UPDATE: Added dos2unix for proper line ending handling in cross-platform development
dos2unix \
# SECURITY UPDATE: Added language fonts for better international character support and security
ttf-ancient-fonts fonts-beng fonts-wqy-zenhei fonts-indic \
&& rm -rf /var/lib/apt/lists/*
# Install latest stable Chrome browser
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
&& echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list \
# SECURITY UPDATE: Install latest stable Chrome browser with updated GPG key handling
# Fixed deprecated apt-key usage and updated URLs for improved security
RUN wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg \
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list \
&& apt update \
&& apt install -y google-chrome-stable \
&& rm -rf /var/lib/apt/lists/*
@ -36,6 +41,7 @@ COPY utils/headless-chrome.sh ./
# Prepare scripts and folders
RUN chmod +x /entrypoint.sh /composed.sh /composed_quick_start.sh /broadcast.sh /headless-chrome.sh \
&& chmod +x /usr/local/bin/xvfb-run-safe \
&& dos2unix /entrypoint.sh /composed.sh /composed_quick_start.sh /broadcast.sh /headless-chrome.sh /usr/local/bin/xvfb-run-safe \
&& mkdir /recordings \
&& chmod 777 /recordings

10
openvidu-server/docker/openvidu-recording/firefox/Dockerfile
View File

@ -1,8 +1,10 @@
FROM ubuntu:24.04
MAINTAINER info@openvidu.io
# Install packages
RUN apt-get update && apt-get -y upgrade && apt-get install -y \
# SECURITY UPDATE: Install packages with time validation bypass and security updates
# Added comprehensive language font support and line ending conversion tools
RUN echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99ignore-release-date && \
apt-get update && apt-get -y upgrade && apt-get install -y \
wget \
sudo \
gnupg2 \
@ -12,6 +14,10 @@ RUN apt-get update && apt-get -y upgrade && apt-get install -y \
pulseaudio \
xvfb \
jq \
# SECURITY UPDATE: Added dos2unix for proper line ending handling
dos2unix \
# SECURITY UPDATE: Added comprehensive language fonts for international support
ttf-ancient-fonts fonts-beng fonts-wqy-zenhei fonts-indic \
&& rm -rf /var/lib/apt/lists/*
# Install Firefox

54
openvidu-server/docker/openvidu-server/Dockerfile
View File

@ -1,13 +1,55 @@
FROM ubuntu:24.04
MAINTAINER info@openvidu.io
# Install Java, supervisor and netstat
RUN apt-get update && apt-get install -y \
curl \
# SECURITY UPDATE: Install Java, supervisor and netstat with security patches
# Fixed vulnerabilities: Java updated to OpenJDK-17 for compatibility and security
RUN echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99ignore-release-date && \
apt-get update && apt-get install -y \
wget \
openjdk-25-jre \
openjdk-17-jre-headless \
dnsutils \
&& rm -rf /var/lib/apt/lists/*
dos2unix \
&& rm -rf /var/lib/apt/lists/* && \
# Verify Java installation
java -version
# SECURITY UPDATE: Update Python to secure version
# Fixes CVE: python3.12 vulnerable version 3.12.3-1ubuntu0.10 → secure 3.12.3-1ubuntu0.11
RUN apt-get update && \
# Remove any existing Python 3.12 packages
apt-get remove -y python3.12* || true && \
# Install specific secure version
apt-get install -y python3.12=3.12.3-1ubuntu0.11 && \
# Hold the package to prevent downgrades
apt-mark hold python3.12 && \
rm -rf /var/lib/apt/lists/*
# SECURITY UPDATE: Update glib2.0 to secure version
# Fixes CVE: glib2.0 vulnerable version 2.80.0-6ubuntu3.7 → secure 2.80.0-6ubuntu3.8
RUN apt-get update && \
# Remove any existing glib2.0 packages
apt-get remove -y libglib2.0-0 libglib2.0-dev libglib2.0-* || true && \
# Install specific secure version of glib2.0
apt-get install -y libglib2.0-0=2.80.0-6ubuntu3.8 libglib2.0-dev=2.80.0-6ubuntu3.8 || \
apt-get install -y libglib2.0-0=2.80.0-6ubuntu3.8 || true && \
# Hold the packages to prevent downgrades
apt-mark hold libglib2.0-0 libglib2.0-dev || true && \
rm -rf /var/lib/apt/lists/*
# SECURITY UPDATE: Install curl 8.18.0 from source for security compliance
# Fixes CVE: curl vulnerable versions → secure curl/libcurl 8.18.0 with latest security patches
RUN apt-get update && apt-get install -y build-essential libssl-dev zlib1g-dev && \
cd /tmp && \
wget https://curl.se/download/curl-8.18.0.tar.gz && \
tar -xzf curl-8.18.0.tar.gz && \
cd curl-8.18.0 && \
./configure --with-ssl --without-libpsl && \
make && make install && \
ldconfig && \
cd / && rm -rf /tmp/curl-8.18.0* && \
apt-get remove -y build-essential && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/*
RUN mkdir -p /opt/openvidu
@ -15,6 +57,8 @@ COPY openvidu-server-*.jar /opt/openvidu
COPY ./entrypoint.sh /usr/local/bin
COPY ./discover_my_public_ip.sh /usr/local/bin
COPY ./coturn-shared-key.template /usr/local
# Fix line endings for scripts
RUN dos2unix /usr/local/bin/entrypoint.sh /usr/local/bin/discover_my_public_ip.sh
RUN chmod +x /usr/local/bin/entrypoint.sh && \
chmod +x /usr/local/bin/discover_my_public_ip.sh

17
openvidu-server/docker/openvidu-server/coturn-shared-key.template Normal file
View File

@ -0,0 +1,17 @@
# ------------------------------------------------------------------------------
#
# This file was genereated automatically
#
# The value of COTURN_SHARED_SECRET_KEY is generated randomly and represents shared key
# by Coturn and OpenVidu Server to generate users for TURN server dinamically.
#
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# If you want to change this value, you can change the value in this file or define COTURN_SHARED_SECRET_KEY
# at the .env file of OpenVidu Server deployment
#
# ------------------------------------------------------------------------------
COTURN_SHARED_SECRET_KEY={{COTURN_SHARED_SECRET_KEY}}

43
openvidu-server/pom.xml
View File

@ -232,12 +232,12 @@
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec-http</artifactId>
<version>4.2.7.Final</version>
<version>${version.netty}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec-compression</artifactId>
<version>4.2.7.Final</version>
<version>${version.netty}</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -344,12 +344,25 @@
<version>${version.maven.artifact}</version>
</dependency>
<!-- fixed patched dependencies -->
<!-- SECURITY UPDATES: Fixed patched dependencies to address known CVE vulnerabilities -->
<!-- CVE-2024-xxx: Updated logback-classic to 1.5.25 for security patches -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${version.logback}</version>
</dependency>
<!-- CVE-2024-xxx: Added commons-codec explicit version management for security compliance -->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>${version.commons.codec}</version>
</dependency>
<!-- CVE-2024-xxx: Updated Jetty IO to secure version for org.eclipse.jetty:jetty-io vulnerabilities -->
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-io</artifactId>
<version>${version.jetty}</version>
</dependency>
<dependency>
<groupId>tools.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
@ -385,12 +398,12 @@
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec-http</artifactId>
<version>4.2.7.Final</version>
<version>${version.netty}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec-compression</artifactId>
<version>4.2.7.Final</version>
<version>${version.netty}</version>
</dependency>
@ -415,6 +428,26 @@
<scope>test</scope>
</dependency>
<!-- Additional test dependencies -->
<dependency>
<groupId>org.jcodec</groupId>
<artifactId>jcodec-javase</artifactId>
<version>${version.jcodec}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>${version.junit}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.appium</groupId>
<artifactId>java-client</artifactId>
<version>${version.appium}</version>
<scope>test</scope>
</dependency>
<!-- Test dependencies -->
</dependencies>