Bug 1908303

Summary: [CVE-2020-28367 CVE-2020-28366] Remove CGO flag from rhel Dockerfile in Egress-Router-CNI
Product: OpenShift Container Platform Reporter: Daniel Mellado <dmellado>
Component: NetworkingAssignee: Daniel Mellado <dmellado>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aconstan, surya, weliang
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:45:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Mellado 2020-12-16 11:32:07 UTC 
In order to pass the security review, we'd need to remove the CGO flag from dockerfile in order to mitigate the following vulnerabilities:

    https://access.redhat.com/security/cve/CVE-2020-28367
    https://access.redhat.com/security/cve/CVE-2020-28366

The vulnerability is specific to the building of Go code itself.
Comment 3 Weibin Liang 2020-12-21 16:06:12 UTC 
Verified in https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1423721

CGO_ENABLED=1 is removed in 
http://download.eng.bos.redhat.com/brewroot/packages/ose-egress-router-cni-container/v4.7.0/202012190243.p0/data/logs/x86_64-build.log
Comment 5 errata-xmlrpc 2021-02-24 15:45:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633