reapply security updates

Azure · Jan 15, 2025 · 3586f2b · 3586f2b
1 parent 79d2559
commit 3586f2b
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/vhdbuilder/packer/configure-windows-vhd.ps1 b/vhdbuilder/packer/configure-windows-vhd.ps1
@@ -386,25 +386,38 @@ function Install-ContainerD {
     Start-Job -Name containerd -ScriptBlock { containerd.exe }
 }
 
+function Reapply-Long-Term-Update {
+    Install-Module -Name PSWindowsUpdate -Force -Scope CurrentUser
+    Import-Module PSWindowsUpdate
+    Get-WindowsUpdate | Where-Object {$_.Title -match "Cumulative Update"} | Install-WindowsUpdate -AcceptAll -AutoReboo
+}
+
 function Install-OpenSSH {
     Write-Log "Installing OpenSSH Server"
+
     Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
 
     # It’s by design that files within the C:\Windows\System32\ folder are not modifiable. 
     # When the OpenSSH Server starts, it copies C:\windows\system32\openssh\sshd_config_default to C:\programdata\ssh\sshd_config, if the file does not already exist.
     $OriginalConfigPath = "C:\windows\system32\OpenSSH\sshd_config_default"
-    $ConfigPath = "C:\programdata\ssh\sshd_config"
+    $ConfigDirectory = "C:\programdata\ssh"
+    New-Item -ItemType Directory -Force -Path $ConfigDirectory
+    $ConfigPath = $ConfigDirectory + "\sshd_config"
     Write-Log "Updating $ConfigPath for CVE-2023-48795"
     $ModifiedConfigContents = Get-Content $OriginalConfigPath `
         | %{$_ -replace "#RekeyLimit default none", "$&`r`n# Disable cipher to mitigate CVE-2023-48795`r`nCiphers [email protected]`r`nMacs -*[email protected]`r`n"}
     Write-Log "Updating $ConfigPath for CVE-2006-5051"
     $ModifiedConfigContents = $ModifiedConfigContents.Replace("#LoginGraceTime 2m", "LoginGraceTime 0")
     Stop-Service sshd
     Out-File -FilePath $ConfigPath -InputObject $ModifiedConfigContents -Encoding UTF8
-    Start-Service sshd
     Write-Log "Updated $ConfigPath for CVEs"
 }
 
+function Start-OpenSSH {
+    Start-Service sshd
+    Write-Log "Started SSHd"
+}
+
 function Install-WindowsPatches {
     Write-Log "Installing Windows patches"
     Write-Log "The length of patchUrls is $($patchUrls.Length)"
@@ -476,6 +489,8 @@ function Update-WindowsFeatures {
         Write-Log "Enabling Windows feature: $feature"
         Install-WindowsFeature $feature
     }
+
+    Reapply-Long-Term-Update
 }
 
 function Enable-WindowsFixInFeatureManagement {
@@ -906,11 +921,13 @@ try{
             Log-ReofferUpdate
             Install-OpenSSH
             Log-ReofferUpdate
-            Install-WindowsPatches
             Update-WindowsFeatures
+            Log-ReofferUpdate
+            Install-WindowsPatches
         }
         "2" {
             Write-Log "Performing actions for provisioning phase 2"
+            Start-OpenSSH
             Log-ReofferUpdate
             Set-WinRmServiceAutoStart
             Install-ContainerD

diff --git a/vhdbuilder/packer/generate-windows-vhd-configuration.ps1 b/vhdbuilder/packer/generate-windows-vhd-configuration.ps1
@@ -63,14 +63,8 @@ switch -Regex ($windowsSku) {
         # TODO: clean up when you bump 2025-1B. These patches do an upgrade from 2024-9B to 2024-12B in a way that doesn't break openssh.
         # The right patch for .NET is actually KB5046540. However, the download page us for KB5046269. So we have to verify that patch. I have no idea why.
 
-        $global:patchUrls = @(
-          "https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2024/12/windows10.0-kb5048661-x64_6bfc43258aab46ec793d2977122226a4a2b8ed6f.msu",
-          "https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/10/windows10.0-kb5046268-x64_cd2f14649df2343f1b4692c50644f22b863ed408.msu"
-        )
-        $global:patchIDs = @(
-          "KB5048661",
-          "KB5046268"
-        )
+        $global:patchUrls = @()
+        $global:patchIDs = @()
 
         $global:imagesToPull = @(
             "mcr.microsoft.com/windows/servercore:ltsc2019",

diff --git a/vhdbuilder/packer/windows-image.env b/vhdbuilder/packer/windows-image.env
@@ -6,7 +6,7 @@
 WINDOWS_2019_BASE_IMAGE_SKU=2019-Datacenter-Core-smalldisk
 # TODO: update global:patch in generate-windows-vhd-configuration.ps1 and remove this comment when you bump 12B
 # - but revert and bring back if open ssh fails when you build the VHD. This image is 9B.
-WINDOWS_2019_BASE_IMAGE_VERSION=17763.6293.240905
+WINDOWS_2019_BASE_IMAGE_VERSION=17763.6659.241205
 
 # CLI example to get the latest image version:
 #   az vm image show --urn MicrosoftWindowsServer:WindowsServer:2022-Datacenter-Core-smalldisk:latest