Probo.CI home page

Probo 14.04 and 16.04 Images Removed for Security

by Jason Moore
10 Mar 2021 - 2 minute read

We had originally planned for the removal of all Ubuntu 14.04 and Ubuntu 16.04 images in our September Probo release, but plans have changed and we are now removing those images effective immediately. We have also updated the default image for all Probo builds with no image defined to our PHP 7.3 image, proboci/ubuntu:18.04-php7.3.

An old security vulnerability was recently identified in our Ubuntu 14.04 and 16.04 Docker images related to a malicious dependency in the event-stream npm package we include as a dependency of our proboscis npm package which is included in all Probo Docker images. See dominictarr/event-stream#116 for more details on the event-stream vulnerability.

Our investigation into how this vulnerability affected our Docker images identified that some older Probo Docker image tags built at the time that vulnerability was active do contain the malicious flatmap-stream npm package. The specific security vulnerability was patched shortly after it was identified by the cryptocurrency wallet, Copay, which was the target of the original attack. The flatmap-stream package has also been patched out of event-stream and removed from the npm repository since that time.

We have not identified any malicious activity that has occurred on Probo’s builds or servers related to this vulnerability, but we are removing all of the Ubuntu 14.04 and Ubuntu 16.04 Probo Docker images that contain the flatmap-stream npm package from our authorized images list effective immediately to address any possible security concerns remaining from the malicious flatmap-stream package.

We have recently added 18.04 images for all supported PHP versions, as well as PHP 5.6, that do not contain the malicious flatmap-stream package. All Probo users are advised to update their 14.04 or 16.04 images to the respective 18.04 image in their .probo.yaml config files. See https://docs.probo.ci/build/images/ for the most up to date approved Probo Docker images.

Below is a list of the removed Probo images along with the new 18.04 Probo images to use instead to match your production PHP version.

Removed Probo Images

Ubuntu 14.04

  • proboci/ubuntu-14.04-lamp:php-5.5
  • proboci/ubuntu-14.04-lamp:php-5.6
  • proboci/ubuntu-14.04-lamp:php-7.0
  • proboci/ubuntu-14.04-lamp:php-7.1

Ubuntu 16.04

  • proboci/ubuntu-16.04-lamp:php-7.0
  • proboci/ubuntu-16.04-lamp:php-7.1
  • proboci/ubuntu-16.04-lamp:php-7.2

New 18.04 Probo Images

  • proboci/ubuntu:18.04-php5.6
  • proboci/ubuntu:18.04-php7.0
  • proboci/ubuntu:18.04-php7.1
  • proboci/ubuntu:18.04-php7.2
  • proboci/ubuntu:18.04-php7.3
  • proboci/ubuntu:18.04-php7.4
  • proboci/ubuntu:18.04-php8.0

Please contact Probo Support with any questions or concerns related to this issue.