From 57633efbd6997c628a1cf88884162ef03d9daecf Mon Sep 17 00:00:00 2001
From: KrishVora01 <vnishith@confluent.io>
Date: Wed, 19 Nov 2025 13:15:20 +0530
Subject: [PATCH 1/2] CPBR-2901 fix

---
 base-java/Dockerfile.ubi9 | 18 +++++++++++-------
 base/Dockerfile.ubi9      | 14 +++++++-------
 pom.xml                   | 20 +++++++++-----------
 3 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9
index f554aa2004..907f8ddb69 100644
--- a/base-java/Dockerfile.ubi9
+++ b/base-java/Dockerfile.ubi9
@@ -24,6 +24,10 @@ FROM registry.access.redhat.com/ubi9-minimal:${UBI_MINIMAL_VERSION} AS REFRESH
 ARG OPENSSL_VERSION
 ARG PROJECT_VERSION
 ARG ARTIFACT_ID
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
+ARG TEMURIN_JDK_VERSION
 
 # Remember where we came from
 LABEL io.confluent.docker.git.repo="confluentinc/common-docker"
@@ -55,11 +59,6 @@ gpgcheck=1 \n\
 gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
 " > /etc/yum.repos.d/adoptium.repo
 
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
-
 # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
 # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
 # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
@@ -71,7 +70,7 @@ RUN microdnf --nodocs -y install yum \
     && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
     && cd openssl${OPENSSL_VERSION} \
     && echo "installing FIPS compliant openssl" \
-    && ./Configure enable-fips \
+    && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
     && make > /dev/null 2>&1 \
     && make install > /dev/null 2>&1 \
     && echo "successfully installed FIPS compliant openssl" \
@@ -91,11 +90,16 @@ RUN microdnf --nodocs -y install yum \
     && mkdir /licenses \
     && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
 
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /opt/openssl-fips/lib
+# for amd64 required binaries are present in /opt/openssl-fips/lib64, hence setting LD_LIBRARY_PATH accordingly
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:$LD_LIBRARY_PATH
+
 # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
 RUN update-crypto-policies --set FIPS
 
 COPY license.txt /licenses
-COPY openssl-fips.cnf  /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
 COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe
 COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub
 
diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9
index a03962f018..e5e222d519 100644
--- a/base/Dockerfile.ubi9
+++ b/base/Dockerfile.ubi9
@@ -86,11 +86,6 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
 " > /etc/yum.repos.d/adoptium.repo
 
 
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
-
 # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
 # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
 # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
@@ -102,7 +97,7 @@ RUN microdnf --nodocs -y install yum \
     && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
     && cd openssl${OPENSSL_VERSION} \
     && echo "installing FIPS compliant openssl" \
-    && ./Configure enable-fips \
+    && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
     && make > /dev/null 2>&1 \
     && make install > /dev/null 2>&1 \
     && echo "successfully installed FIPS compliant openssl" \
@@ -139,6 +134,11 @@ RUN microdnf --nodocs -y install yum \
     && chown appuser:appuser -R /etc/confluent/ /usr/logs \
     && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
 
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /opt/openssl-fips/lib
+# for amd64 required binaries are present in /opt/openssl-fips/lib64, hence setting LD_LIBRARY_PATH accordingly
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:$LD_LIBRARY_PATH
+
 # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
 RUN update-crypto-policies --set FIPS
 
@@ -153,7 +153,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}"
 
 COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
 COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
-COPY openssl-fips.cnf  /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
 
 COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker
 COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new
diff --git a/pom.xml b/pom.xml
index 1ab9b44ea3..d8df42983e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,27 +35,25 @@
         <docker.tag>${io.confluent.common-docker.version}-${docker.ubi9.os_type}</docker.tag>
         <io.confluent.common-docker.version>8.0.2</io.confluent.common-docker.version>
         <!-- Versions-->
-        <ubi8.image.version>8.10-1755105495</ubi8.image.version>
-        <ubi9.micro.image.version>9.6-1754345610</ubi9.micro.image.version>
-        <ubi9.minimal.image.version>9.6-1760515502</ubi9.minimal.image.version>
+        <ubi8.image.version>8.10-1761032271</ubi8.image.version>
+        <ubi9.micro.image.version>9.7-1762965531</ubi9.micro.image.version>
+        <ubi9.minimal.image.version>9.7-1762956380</ubi9.minimal.image.version>
         <ubi9.openssl.version>1:3.2.2-6.el9_5.1</ubi9.openssl.version>
         <!-- OpenSSL version that is FIPS compliant -->
         <fips.openssl.version>3.1.2</fips.openssl.version>
         <!-- Redhat Package Versions -->
         <ubi9.wget.version>1.21.1-8.el9_4</ubi9.wget.version>
         <ubi9.netcat.version>7.92-3.el9</ubi9.netcat.version>
-        <ubi9.python39.version>3.9.21-2.el9_6.2</ubi9.python39.version>
-        <ubi9.tar.version>1.34-7.el9</ubi9.tar.version>
-        <ubi9.wget.version>1.21.1-8.el9_4</ubi9.wget.version>
-        <ubi9.netcat.version>7.92-3.el9</ubi9.netcat.version>
+        <ubi9.python39.version>3.9.23-2.el9</ubi9.python39.version>
+        <ubi9.tar.version>2:1.34-7.el9</ubi9.tar.version>
         <ubi9.procps.version>3.3.17-14.el9</ubi9.procps.version>
         <ubi9.krb5.workstation.version>1.21.1-8.el9_6</ubi9.krb5.workstation.version>
-        <ubi9.iputils.version>20210202-11.el9_6.3</ubi9.iputils.version>
+        <ubi9.iputils.version>20210202-15.el9_7</ubi9.iputils.version>
         <ubi9.hostname.version>3.23-6.el9</ubi9.hostname.version>
         <ubi9.xzlibs.version>5.2.5-8.el9_0</ubi9.xzlibs.version>
-        <ubi9.glibc.version>2.34-168.el9_6.23</ubi9.glibc.version>
+        <ubi9.glibc.version>2.34-231.el9_7.2</ubi9.glibc.version>
         <ubi9.findutils.version>1:4.8.0-7.el9</ubi9.findutils.version>
-        <ubi9.crypto.policies.scripts.version>20240828-2.git626aa59.el9_5</ubi9.crypto.policies.scripts.version>
+        <ubi9.crypto.policies.scripts.version>20250905-1.git377cc42.el9_7</ubi9.crypto.policies.scripts.version>
         <!-- Python Module Versions -->
         <ubi9.python.pip.version>21.3.1-1.el9</ubi9.python.pip.version>
 
@@ -87,4 +85,4 @@
         `-Ddocker.skip-security-update-check=true` -->
         <docker.skip-security-update-check>true</docker.skip-security-update-check>
     </properties>
-</project>
+</project>
\ No newline at end of file

From a7f1a276bc41e0cd72ad33db5ccd227d24e4fef4 Mon Sep 17 00:00:00 2001
From: KrishVora01 <vnishith@confluent.io>
Date: Wed, 19 Nov 2025 13:56:04 +0530
Subject: [PATCH 2/2] CPBR-2901 fixes order

---
 base-java/Dockerfile.ubi9 | 7 ++++---
 base/Dockerfile.ubi9      | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9
index 907f8ddb69..daefc8a6d8 100644
--- a/base-java/Dockerfile.ubi9
+++ b/base-java/Dockerfile.ubi9
@@ -90,14 +90,15 @@ RUN microdnf --nodocs -y install yum \
     && mkdir /licenses \
     && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
 
+# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+RUN update-crypto-policies --set FIPS
+
 # ENV required when manually installing openssl,
 # for arm64 required binaries are present in /opt/openssl-fips/lib
 # for amd64 required binaries are present in /opt/openssl-fips/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Note: This is set after update-crypto-policies to avoid conflicts with system Python
 ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:$LD_LIBRARY_PATH
 
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
-RUN update-crypto-policies --set FIPS
-
 COPY license.txt /licenses
 COPY openssl-fips.cnf  /opt/openssl-fips/ssl/openssl-fips.cnf
 COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe
diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9
index e5e222d519..068e93e202 100644
--- a/base/Dockerfile.ubi9
+++ b/base/Dockerfile.ubi9
@@ -134,14 +134,15 @@ RUN microdnf --nodocs -y install yum \
     && chown appuser:appuser -R /etc/confluent/ /usr/logs \
     && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
 
+# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+RUN update-crypto-policies --set FIPS
+
 # ENV required when manually installing openssl,
 # for arm64 required binaries are present in /opt/openssl-fips/lib
 # for amd64 required binaries are present in /opt/openssl-fips/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Note: This is set after update-crypto-policies to avoid conflicts with system Python
 ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:$LD_LIBRARY_PATH
 
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
-RUN update-crypto-policies --set FIPS
-
 # This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed.
 # The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which
 # is not advisable in terms of security posture. If set to false (which triggers a shell exit(1) if the check fails from the left