Docker-node: CVE-2019-14697 - alpine images

We have seen this too. It appears that somehow the node:10-alpine and node:12.13-alpine (maybe others too; have not tested) binary images have musl-1.1.20-r4, while previously they had musl-1.1.20-r5. Not sure how this happened, or what else is in that binary that shouldn’t be.

This repo doesn't rebuild any of the base images, that's only done on the official-images repository.
@tianon do you know why the images would have rolled back that package?

Digging deeper, I see that the base alpine 3.9 image has not changed in 6 months; it never contained musl-1.1.20-r5 (which came out in August). Instead, node's Dockerfiles updated musl. That update got removed two days ago. So it seems it must be in one of these two commits, that were committed to master on Oct 28:

• https://github.com/nodejs/docker-node/commit/93c5e098567620200e5a374622a86b4aff153506#diff-db272e7ef8e6a6734985103cbd79d00e
• https://github.com/nodejs/docker-node/commit/c219332723cbc57ee417541121c7551dfec10f3f#diff-db272e7ef8e6a6734985103cbd79d00e

I have also commented on the thread for the pull request that contains these changes: https://github.com/nodejs/docker-node/pull/1026

I'm wondering if it could be a side-effect that a package were are installing had the musl update as a dependency but now doesn't

I bet that is right. the easiest fix might be something like:

&& if [ -n "${CHECKSUM}" ]; then \
    set -eu; \
    curl -fsSLO --compressed "https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz"; \
    echo "$CHECKSUM  node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" | sha256sum -c - \
      && tar -xJf "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
      && ln -s /usr/local/bin/node /usr/local/bin/nodejs \
      && apk add -u musl=1.1.20-r5; \

I think using apk add -u musl=1.2.20-r5 is preferable to apk upgrade musl because it

• only upgrades musl (despite listing musl, apk upgrade musl upgrades more than just musl)
• pins to a specific version of musl

I just built this locally and scanned it for vulnerabilities, and it came up clean.

However, if the node folks prefer not to pin, then apk add -u musl should work fine.

I think that is still something for the base image rather than here though, but I'm not sure that 3.9 is being maintained actively or not

alpine3.9 hasn't changed in since May 10, 2019

Looks like there is some activity in the branch, but I don't know if they are planning on tagging anything https://git.alpinelinux.org/aports/log/?h=3.9-stable

Oh, seems like it's tracked over https://github.com/alpinelinux/docker-alpine/issues/34

I think an LTS version like node:10 deserves to get a security update. I would expect either the base image to be updated, or the node image to be switched to 3.10

@amq we are really close to support multiple apline! We have been working on this for a while.

I got this update today from the alpine team, alpine 3.10.3 has the security fixes for

3.10.3 is on Docker Hub as latest and includes OpenSSL 1.1.1d-r0 which is patched for

CVE-2019-1563
CVE-2019-1549
CVE-2019-1547

https://github.com/alpinelinux/docker-alpine/issues/39#issuecomment-549401731

So ideally if we can change all node.js docker images to change this
FROM alpine:3.9
to
FROM alpine:3.10
For the Node.js 12.x.x branch
https://github.com/nodejs/docker-node/blob/93c5e098567620200e5a374622a86b4aff153506/12/alpine/Dockerfile

Can you move to Alpine 3.10 for the node.js 12, 10 and 8 releases???? I hope it will all just work and not be much effort.

@strouja multiple versions of Alpine support is being worked on in #1125

Closing since alpine 3.10 images are available.