Hi, today scanned images based on 1.20-alpine and 1.21-alpine reporting some vulnerabilities related do curl:
High: CVE-2021-22901
Medium: CVE-2021-22898
Those applies to both 1.20-alpine and 1.21-alpine, didn't checked other versions.
Let's wait for alpine linux base image to fix this issue. Both dont seem to be any bad for intented curl usage inside this image.
It seems that is already fixed and waiting for alpine release: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12706
Looks like the Alpine base image has been updated. I think the Nginx image just needs to be rebuilt and published. This would resolve issue #553 as well I believe.
Doesnt look like it was updated: https://hub.docker.com/_/alpine?tab=tags&page=1&ordering=last_updated
My bad. I guess you're right. I assumed, instead of looking, because Trivy isn't returning these CVE's when I run it against alpine:latest. But they're definitely firing off for nginx:alpine.
Hi @thresheek, alpine 3.14 has been released, could be updated in 1.21 and 1.20 also.
https://www.alpinelinux.org/posts/Alpine-3.14.0-released.html
@thresheek I've created a PR to bump alpine version to 3.14, could you please do a review ?
hi @meldafrawi it doesnt make sense yet as alpine3.14-based images cannot be built for docker library: https://github.com/docker-library/haproxy/issues/163
It seems like the alpine version doesn't even need to be updated. Alpine's version of curl is at 7.77. This could be fixed by building the image with apk add --upgrade --no-cache curl instead of apk add --no-cache curl
Most helpful comment
It seems like the alpine version doesn't even need to be updated. Alpine's version of curl is at 7.77. This could be fixed by building the image with
apk add --upgrade --no-cache curlinstead ofapk add --no-cache curl