Hi, our builds are currently failing due to vulnerability detected in zlib versios shipped with alpine 3.5 base:
CVE-2016-9843 (High)
11:35:55 Package: zlib @ 1.2.8-r2
11:35:55 Fixed version: 1.2.11-r0
11:35:55 Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
11:35:55 Layer: 13340442027742658439f1ff34bf62d088e77c7ed0bb8d062e8e86d805363af6
11:35:55
11:35:55 CVE-2016-9841 (High)
11:35:55 Package: zlib @ 1.2.8-r2
11:35:55 Fixed version: 1.2.11-r0
11:35:55 Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
11:35:55 Layer: 13340442027742658439f1ff34bf62d088e77c7ed0bb8d062e8e86d805363af6
11:35:55
11:35:55 CVE-2016-9840 (Medium)
11:35:55 Package: zlib @ 1.2.8-r2
11:35:55 Fixed version: 1.2.11-r0
11:35:55 Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
11:35:55 Layer: 13340442027742658439f1ff34bf62d088e77c7ed0bb8d062e8e86d805363af6
11:35:55
11:35:55 CVE-2016-9842 (Medium)
11:35:55 Package: zlib @ 1.2.8-r2
11:35:55 Fixed version: 1.2.11-r0
11:35:55 Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
11:35:55 Layer: 13340442027742658439f1ff34bf62d088e77c7ed0bb8d062e8e86d805363af6
Could you update the alpine base version to 3.6, to hopefully fix this ?
Thanks
Closely related to https://github.com/nginxinc/docker-nginx/issues/185, same root cause.
Not that hard, guys.
FROM nginx:1.13.3-alpine
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \
apk upgrade --no-cache --update && \
...
Step 2/5 : RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && apk upgrade --no-cache --update
---> Running in 679040db52ec
/bin/sh: 1: cannot create /etc/apk/repositories: Directory nonexistent
The command '/bin/sh -c echo "http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && apk upgrade --no-cache --update' returned a non-zero code: 2
seems like our base image was missing that dir somehow, using image 1.13.3-alpine worked with that command.
Are you sure alpine-edge repo is a good source to install all upgrades from? Could be unstable?
In whatever case, upgrade your packages for the latest security fixes in your local Dockerfile. You don't need the Nginx team to do it for you by upgrading the OS.
I use _edge_ because it has been extremely stable in my case. YMMV.
the image we use (alpine:3.5) was updated to fix that issue.
Most helpful comment
Not that hard, guys.