Base image of Dockerfile python:3.8.7-alpine3.12 contains vulnerable libraries

[mirraxian]

• I've read the [contribution guidelines][1] and agree with them

I've found a bug and checked that ...

• ... the problem doesn't occur with the default MkDocs template
• ... the problem is not in any of my customizations (CSS, JS, template)
• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

Docker image is currently based on python:3.8.7-alpine3.12 which contains outdated packages such as openssh 8.3_p1-r1 which suffers from CVE-2021-28041.

[mirraxian]

Pull Request 2467 submitted with updated python base image.

mkdocs build and mkdocs gh-deploy validated:

/ # mkdocs build
INFO    -  Cleaning site directory
INFO    -  Building documentation to directory: /site
INFO    -  Documentation built in 7.23 seconds
/ # mkdocs gh-deploy
INFO    -  Cleaning site directory
INFO    -  Building documentation to directory: /site
INFO    -  Documentation built in 7.12 seconds
WARNING -  Version check skipped: No version specified in previous deployment.
INFO    -  Copying '/site' to 'gh-pages' branch and pushing to GitHub.
INFO    -  Your documentation should shortly be available at: https://...

[polarathene]

That's not really an exploit that can be taken advantage of with this image, especially in how it's used afaik? (which runs as root user anyway..)

[squidfunk]

Fixed in 56e8162:

-FROM python:3.8.7-alpine3.12
+FROM python:3.9.2-alpine3.13

[squidfunk]

Released as part of 7.0.7.

[polarathene]

@squidfunk The "fix available" label doesn't really apply to this issue?

The image was updated but that didn't update to a newer package of openssh 8.5 did it? I provided details in the related PR but received no response.

Technically if this vulnerability is a concern (it doesn't appear to be practical imo) and the package isn't able to be updated with the fix, this issue shouldn't be closed?

[squidfunk]

In #2467 (comment) you wrote:

I don't see this as an exploit that is relevant to the context of the docker image personally.

You already run as the root user within the docker image (and the docker daemon usually is run as root), how exactly is this attack being envisioned of being carried out, with what goal and what present access to perform it?

... which is why I went ahead and just updated the base image, as this was what was done in the PR. Thus I'm seeing this issue as resolved, which is indicated by the "fix available" label. If there persists to be an issue with OpenSSH, please open another pull request, and we can fix it.

[polarathene]

The issue is still there until updating to openssh 8.5 AFAIK, which you'll have to wait for to arrive in a newer version of Alpine.

As quoted, I don't see it being practical to carry out such an attack given the exploit description and how this image is used. That doesn't mean it's not possible, I just don't think it's likely to be an actual problem.