dockerfile: update base alpine image to v3.18 #2019

nodiscc · 2023-09-20T21:37:02Z

fixes security issues reported by trivy
a new release should be made for the shaarli:release Docker image to include these fixes
ref. Automate Docker images vulnerability scanning #1531

ghcr.io/shaarli/shaarli:release (alpine 3.16.4)
===============================================
Total: 72 (UNKNOWN: 0, LOW: 1, MEDIUM: 29, HIGH: 27, CRITICAL: 15)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1          │ CVE-2023-0464  │ HIGH     │ fixed  │ 1.1.1t-r0         │ 1.1.1t-r1        │ Denial of service by excessive resource usage in verifying  │
│                       │                │          │        │                   │                  │ X509 policy constraints...                                  │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-0465  │ MEDIUM   │        │                   │ 1.1.1t-r2        │ Invalid certificate policies in leaf certificates are       │
│                       │                │          │        │                   │                  │ silently ignored                                            │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-2650  │          │        │                   │ 1.1.1u-r0        │ Possible DoS translating ASN.1 object identifiers           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-2650                   │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3446  │          │        │                   │ 1.1.1u-r2        │ Excessive time spent checking DH keys and parameters        │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3817  │          │        │                   │ 1.1.1v-r0        │ Excessive time spent checking DH q parameter value          │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcurl               │ CVE-2023-27533 │ HIGH     │        │ 7.83.1-r6         │ 8.0.1-r0         │ TELNET option IAC injection                                 │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-27533                  │
│                       ├────────────────┤          │        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-27534 │          │        │                   │                  │ SFTP path ~ resolving discrepancy                           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-27534                  │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-28319 │          │        │                   │ 8.1.0-r0         │ use after free in SSH sha256 fingerprint check              │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-ldap             │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-mbstring         │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-openssl          │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-session          │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-simplexml        │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-xml              │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘```

- fixes security issues reported by trivy

- php8.0 was deprecated in alpine 3.17

nodiscc · 2023-09-21T12:49:47Z

Error: buildx failed with: ERROR: failed to solve: process "/bin/sh -c rm -rf /etc/php8/php-fpm.d/www.conf     && sed -i 's/post_max_size.*/post_max_size = 10M/' /etc/php8/php.ini     && sed -i 's/upload_max_filesize.*/upload_max_filesize = 10M/' /etc/php8/php.ini" did not complete successfully: exit code: 1

Some file paths might have changed. I will re-check and update this PR accordingly.

nodiscc · 2023-10-03T16:40:23Z

(alpine 3.16.4) Total: 72 (UNKNOWN: 0, LOW: 1, MEDIUM: 29, HIGH: 27, CRITICAL: 15)

Actually, these vulnerabilities are present because the Dockerfile specifies FROM alpine:3.16, and 3.16.4 was the latest 3.16 at the time the image was built. Rebuilding the image today would result in alpine:3.16.7 being used as base image, for which these vulnerabilities have been fixed.

So, while upgrading the base image to alpine:3.18 should still be done, the quickest way to get this fixed is to use major.minor.patch in the FROM directive, bump it to 3.16.7, and create a new Shaarli release.

I will provide a PR.

- the previous (0.12.2) release image was based on 3.16.4 since the .patch version was not specified, which shows vulnerabilities when scanned with trivy (shaarli#2019)

nodiscc · 2023-10-03T16:52:03Z

use major.minor.patch in the FROM directive, bump it to 3.16.7

#2024

create a new Shaarli release.

I will do it ASAP.

update base alpine image to v3.18

This can be postponed as long as the 3.16 branch is maintained (https://alpinelinux.org/releases/ -> 2024-05-23). Fixing #1531 will also help ensure that the release image includes the latest alpine security fixes (will provide a PR soon, draft here)

dockerfile: update base alpine image to v3.18

bc92f65

- fixes security issues reported by trivy

nodiscc added security docker containers & cloud labels Sep 20, 2023

nodiscc added this to the 0.13.0 milestone Sep 20, 2023

nodiscc requested a review from ArthurHoaro September 20, 2023 21:37

dockerfile: alpine php8 packages are now prefixed with php82

fd22b31

- php8.0 was deprecated in alpine 3.17

nodiscc removed the request for review from ArthurHoaro September 21, 2023 12:49

nodiscc marked this pull request as draft September 21, 2023 12:49

nodiscc self-assigned this Oct 3, 2023

nodiscc mentioned this pull request Oct 3, 2023

docker: update base alpine docker image to 3.16.7 #2024

Merged

nodiscc closed this Nov 22, 2023

nodiscc deleted the update-alpine branch November 22, 2023 15:07

nodiscc mentioned this pull request Nov 22, 2023

Fix XSS vulnerability in tag search #2039

Merged

nodiscc mentioned this pull request Dec 3, 2023

docker: update base Alpine image to 3.18.x #2050

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dockerfile: update base alpine image to v3.18 #2019

dockerfile: update base alpine image to v3.18 #2019

nodiscc commented Sep 20, 2023

nodiscc commented Sep 21, 2023

nodiscc commented Oct 3, 2023

nodiscc commented Oct 3, 2023

dockerfile: update base alpine image to v3.18 #2019

dockerfile: update base alpine image to v3.18 #2019

Conversation

nodiscc commented Sep 20, 2023

nodiscc commented Sep 21, 2023

nodiscc commented Oct 3, 2023

nodiscc commented Oct 3, 2023