Dockerfile builds on an alpine 3.8 image, containing known security vulnerabilities

[richgerrard]

We deploy kiam in our production environments; our container scanning tools report known critical vulnerabilities in the kiam container, arising from the choice of base image referenced in the dockerfile.

It would be great if this could be addressed at the source, please.

Image
quay.io/uswitch/kiam:v3.5
ID sha256:47150926f154770b47dcbdbc092233637c6242afa246551db55f5cd1d6f9fae5
OS distribution Alpine Linux v3.8
OS release 3.8.4

Severity: Critical
Package: musl
CVE: CVE-2019-14697
Fix Status: fixed in 1.1.19-r11
Description: Impacted versions: <1.1.19-r11
Published: >7 months ago
musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

[rhysemmas]

Hi @richgerrard, thanks for opening an issue - I will raise a PR to resolve this shortly, it is worth noting that the musl libc CVE appears to only affect 32-bit systems.