Security vulnerabilities in 1.20-alpine and 1.21-alpine #551
Comments
|
Let's wait for alpine linux base image to fix this issue. Both dont seem to be any bad for intented curl usage inside this image. |
|
It seems that is already fixed and waiting for alpine release: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12706 |
|
Looks like the Alpine base image has been updated. I think the Nginx image just needs to be rebuilt and published. This would resolve issue #553 as well I believe. |
|
Doesnt look like it was updated: https://hub.docker.com/_/alpine?tab=tags&page=1&ordering=last_updated |
|
My bad. I guess you're right. I assumed, instead of looking, because Trivy isn't returning these CVE's when I run it against |
|
Hi @thresheek, alpine 3.14 has been released, could be updated in 1.21 and 1.20 also. |
|
@thresheek I've created a PR to bump alpine version to 3.14, could you please do a review ? |
|
hi @meldafrawi it doesnt make sense yet as alpine3.14-based images cannot be built for docker library: docker-library/haproxy#163 |
|
It seems like the alpine version doesn't even need to be updated. Alpine's version of curl is at 7.77. This could be fixed by building the image with |
|
Fixed in Will be fixed for 1.20 images when there is a new 1.20 release (no ETA). |
|
I can confirm, vulnerabilities from this issue are not appearing in 1.21.1-alpine scan |
|
|
Hi, today scanned images based on 1.20-alpine and 1.21-alpine reporting some vulnerabilities related do
curl:High: CVE-2021-22901
Medium: CVE-2021-22898
Those applies to both 1.20-alpine and 1.21-alpine, didn't checked other versions.
The text was updated successfully, but these errors were encountered: