New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alpine: security updates #4834

Merged
merged 1 commit into from Sep 11, 2018

Conversation

Projects
None yet
3 participants
@ncopa
Contributor

ncopa commented Sep 11, 2018

apk-tools has an important security fix that has been updated in v3.2 to
v3.8.

edge has got musl libc update to 1.1.20.

alpine: security updates
apk-tools has an important security fix that has been updated in v3.2 to
v3.8.

edge has got musl libc update to 1.1.20.
@yosifkit

This comment has been minimized.

Show comment
Hide comment
@yosifkit

yosifkit Sep 11, 2018

Member
Diff:
diff --git a/alpine_3.1/rootfs.tar.xz b/alpine_3.1/rootfs.tar.xz
index 3b3f484..e33d1cd 100644
Binary files a/alpine_3.1/rootfs.tar.xz and b/alpine_3.1/rootfs.tar.xz differ
diff --git a/alpine_3.2/rootfs.tar.xz b/alpine_3.2/rootfs.tar.xz
index fb17110..2a515d5 100644
Binary files a/alpine_3.2/rootfs.tar.xz and b/alpine_3.2/rootfs.tar.xz differ
diff --git a/alpine_3.3/rootfs.tar.xz b/alpine_3.3/rootfs.tar.xz
index 94ecb60..eda71ec 100644
Binary files a/alpine_3.3/rootfs.tar.xz and b/alpine_3.3/rootfs.tar.xz differ
diff --git a/alpine_3.4/rootfs.tar.xz b/alpine_3.4/rootfs.tar.xz
index b7eae40..fd38346 100644
Binary files a/alpine_3.4/rootfs.tar.xz and b/alpine_3.4/rootfs.tar.xz differ
diff --git a/alpine_3.5/rootfs.tar.xz b/alpine_3.5/rootfs.tar.xz
index 2916962..70dacb9 100644
Binary files a/alpine_3.5/rootfs.tar.xz and b/alpine_3.5/rootfs.tar.xz differ
diff --git a/alpine_3.6/rootfs.tar.xz b/alpine_3.6/rootfs.tar.xz
index 324f5e4..a79ddce 100644
Binary files a/alpine_3.6/rootfs.tar.xz and b/alpine_3.6/rootfs.tar.xz differ
diff --git a/alpine_3.7/rootfs.tar.xz b/alpine_3.7/rootfs.tar.xz
index 8198700..0809879 100644
Binary files a/alpine_3.7/rootfs.tar.xz and b/alpine_3.7/rootfs.tar.xz differ
diff --git a/alpine_edge/rootfs.tar.xz b/alpine_edge/rootfs.tar.xz
index 21a66e0..fdee5fd 100644
Binary files a/alpine_edge/rootfs.tar.xz and b/alpine_edge/rootfs.tar.xz differ
diff --git a/alpine_edge/rootfs.tar.xz  'tar -t' b/alpine_edge/rootfs.tar.xz  'tar -t'
index 3d853fd..1713044 100644
--- a/alpine_edge/rootfs.tar.xz  'tar -t'	
+++ b/alpine_edge/rootfs.tar.xz  'tar -t'	
@@ -176,6 +176,7 @@ media/cdrom/
 media/floppy/
 media/usb/
 mnt/
+opt/
 proc/
 root/
 run/
diff --git a/alpine_latest/rootfs.tar.xz b/alpine_latest/rootfs.tar.xz
index 87fdc72..5b7d08c 100644
Binary files a/alpine_latest/rootfs.tar.xz and b/alpine_latest/rootfs.tar.xz differ
Member

yosifkit commented Sep 11, 2018

Diff:
diff --git a/alpine_3.1/rootfs.tar.xz b/alpine_3.1/rootfs.tar.xz
index 3b3f484..e33d1cd 100644
Binary files a/alpine_3.1/rootfs.tar.xz and b/alpine_3.1/rootfs.tar.xz differ
diff --git a/alpine_3.2/rootfs.tar.xz b/alpine_3.2/rootfs.tar.xz
index fb17110..2a515d5 100644
Binary files a/alpine_3.2/rootfs.tar.xz and b/alpine_3.2/rootfs.tar.xz differ
diff --git a/alpine_3.3/rootfs.tar.xz b/alpine_3.3/rootfs.tar.xz
index 94ecb60..eda71ec 100644
Binary files a/alpine_3.3/rootfs.tar.xz and b/alpine_3.3/rootfs.tar.xz differ
diff --git a/alpine_3.4/rootfs.tar.xz b/alpine_3.4/rootfs.tar.xz
index b7eae40..fd38346 100644
Binary files a/alpine_3.4/rootfs.tar.xz and b/alpine_3.4/rootfs.tar.xz differ
diff --git a/alpine_3.5/rootfs.tar.xz b/alpine_3.5/rootfs.tar.xz
index 2916962..70dacb9 100644
Binary files a/alpine_3.5/rootfs.tar.xz and b/alpine_3.5/rootfs.tar.xz differ
diff --git a/alpine_3.6/rootfs.tar.xz b/alpine_3.6/rootfs.tar.xz
index 324f5e4..a79ddce 100644
Binary files a/alpine_3.6/rootfs.tar.xz and b/alpine_3.6/rootfs.tar.xz differ
diff --git a/alpine_3.7/rootfs.tar.xz b/alpine_3.7/rootfs.tar.xz
index 8198700..0809879 100644
Binary files a/alpine_3.7/rootfs.tar.xz and b/alpine_3.7/rootfs.tar.xz differ
diff --git a/alpine_edge/rootfs.tar.xz b/alpine_edge/rootfs.tar.xz
index 21a66e0..fdee5fd 100644
Binary files a/alpine_edge/rootfs.tar.xz and b/alpine_edge/rootfs.tar.xz differ
diff --git a/alpine_edge/rootfs.tar.xz  'tar -t' b/alpine_edge/rootfs.tar.xz  'tar -t'
index 3d853fd..1713044 100644
--- a/alpine_edge/rootfs.tar.xz  'tar -t'	
+++ b/alpine_edge/rootfs.tar.xz  'tar -t'	
@@ -176,6 +176,7 @@ media/cdrom/
 media/floppy/
 media/usb/
 mnt/
+opt/
 proc/
 root/
 run/
diff --git a/alpine_latest/rootfs.tar.xz b/alpine_latest/rootfs.tar.xz
index 87fdc72..5b7d08c 100644
Binary files a/alpine_latest/rootfs.tar.xz and b/alpine_latest/rootfs.tar.xz differ
@yosifkit

This comment has been minimized.

Show comment
Hide comment
@yosifkit

yosifkit Sep 11, 2018

Member

Build test of #4834; dba53c0; amd64 (alpine):

$ bashbrew build alpine:3.6
Building bashbrew/cache:23f222a19ca767ff454a149a870e7162ee6befa7ea56dc8d8a34b94094d70bfb (alpine:3.6)
Tagging alpine:3.6

$ test/run.sh alpine:3.6
testing alpine:3.6
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.7
Building bashbrew/cache:4f0e5c72040296ffc798e4c316df9aabb66c6167ce19f1669f52000d5bd223e1 (alpine:3.7)
Tagging alpine:3.7

$ test/run.sh alpine:3.7
testing alpine:3.7
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.8
Building bashbrew/cache:61dd2b47bfb380db498980132665d6139ed4dad0cb9e9b20038ec83888bed439 (alpine:3.8)
Tagging alpine:3.8
Tagging alpine:latest

$ test/run.sh alpine:3.8
testing alpine:3.8
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:edge
Building bashbrew/cache:5b86692080c231427b9b273ce7f4208d1639a7c422c8b0f9928b61ffd0431923 (alpine:edge)
Tagging alpine:edge

$ test/run.sh alpine:edge
testing alpine:edge
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.1
Building bashbrew/cache:39c8cc745487df07257ff8c650af228140fc6e33a77d859ee6445b8a0121d3d4 (alpine:3.1)
Tagging alpine:3.1

$ test/run.sh alpine:3.1
testing alpine:3.1
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.2
Building bashbrew/cache:1dc7b5f6d3dbe68024a1ac03f10f09eb11894eb8f4dc67b35e825d3a74bc57b6 (alpine:3.2)
Tagging alpine:3.2

$ test/run.sh alpine:3.2
testing alpine:3.2
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.3
Building bashbrew/cache:087c03f1d7a6f826f91a62ab71313c0797da60e65553d5a9ad8caa9536f336ff (alpine:3.3)
Tagging alpine:3.3

$ test/run.sh alpine:3.3
testing alpine:3.3
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.4
Building bashbrew/cache:262437a66f6fbd88eb1995f6753cc0b37c56312fe062144c6ed1c59166908b1e (alpine:3.4)
Tagging alpine:3.4

$ test/run.sh alpine:3.4
testing alpine:3.4
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.5
Building bashbrew/cache:248b0b376f30ee05ce3f5f785a9027f79ff6815ad05bdc463b359904f56d65f7 (alpine:3.5)
Tagging alpine:3.5

$ test/run.sh alpine:3.5
testing alpine:3.5
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed
Member

yosifkit commented Sep 11, 2018

Build test of #4834; dba53c0; amd64 (alpine):

$ bashbrew build alpine:3.6
Building bashbrew/cache:23f222a19ca767ff454a149a870e7162ee6befa7ea56dc8d8a34b94094d70bfb (alpine:3.6)
Tagging alpine:3.6

$ test/run.sh alpine:3.6
testing alpine:3.6
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.7
Building bashbrew/cache:4f0e5c72040296ffc798e4c316df9aabb66c6167ce19f1669f52000d5bd223e1 (alpine:3.7)
Tagging alpine:3.7

$ test/run.sh alpine:3.7
testing alpine:3.7
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.8
Building bashbrew/cache:61dd2b47bfb380db498980132665d6139ed4dad0cb9e9b20038ec83888bed439 (alpine:3.8)
Tagging alpine:3.8
Tagging alpine:latest

$ test/run.sh alpine:3.8
testing alpine:3.8
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:edge
Building bashbrew/cache:5b86692080c231427b9b273ce7f4208d1639a7c422c8b0f9928b61ffd0431923 (alpine:edge)
Tagging alpine:edge

$ test/run.sh alpine:edge
testing alpine:edge
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.1
Building bashbrew/cache:39c8cc745487df07257ff8c650af228140fc6e33a77d859ee6445b8a0121d3d4 (alpine:3.1)
Tagging alpine:3.1

$ test/run.sh alpine:3.1
testing alpine:3.1
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.2
Building bashbrew/cache:1dc7b5f6d3dbe68024a1ac03f10f09eb11894eb8f4dc67b35e825d3a74bc57b6 (alpine:3.2)
Tagging alpine:3.2

$ test/run.sh alpine:3.2
testing alpine:3.2
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.3
Building bashbrew/cache:087c03f1d7a6f826f91a62ab71313c0797da60e65553d5a9ad8caa9536f336ff (alpine:3.3)
Tagging alpine:3.3

$ test/run.sh alpine:3.3
testing alpine:3.3
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.4
Building bashbrew/cache:262437a66f6fbd88eb1995f6753cc0b37c56312fe062144c6ed1c59166908b1e (alpine:3.4)
Tagging alpine:3.4

$ test/run.sh alpine:3.4
testing alpine:3.4
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build alpine:3.5
Building bashbrew/cache:248b0b376f30ee05ce3f5f785a9027f79ff6815ad05bdc463b359904f56d65f7 (alpine:3.5)
Tagging alpine:3.5

$ test/run.sh alpine:3.5
testing alpine:3.5
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed

@yosifkit yosifkit merged commit 9aedae8 into docker-library:master Sep 11, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@ncopa ncopa deleted the ncopa:alpine-updates branch Sep 12, 2018

@od0 od0 referenced this pull request Sep 13, 2018

Closed

Security updates to Alpine #24

tianon referenced this pull request in gliderlabs/docker-alpine Sep 14, 2018

nrb added a commit to nrb/ark that referenced this pull request Sep 17, 2018

Bump alpine image for security fix
This change includes the fix at docker-library/official-images#4834

Signed-off-by: Nolan Brubaker <nolan@heptio.com>

nrb added a commit to nrb/ark that referenced this pull request Sep 17, 2018

Bump alpine image for security fix
This change includes the fix at docker-library/official-images#4834

Signed-off-by: Nolan Brubaker <nolan@heptio.com>

edouard-lopez added a commit to edouard-lopez/dockerfiles that referenced this pull request Sep 17, 2018

update base image to 3.8 to prevent MITM
related: docker-library/official-images/pull/4834

--- 

Based on https://twitter.com/ahmetb/status/1040322297276522496:

Scary RCE vulnerability on Alpine base images: 
- default "apk" repos use plain HTTP 
- a mitm can silently run arbitrary code during "apk add"

More https://justi.cz/security/2018/09/13/alpine-apk-rce.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment