Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dockerfile: update base alpine image to v3.18 #2019

Closed
wants to merge 2 commits into from

Conversation

nodiscc
Copy link
Member

@nodiscc nodiscc commented Sep 20, 2023

ghcr.io/shaarli/shaarli:release (alpine 3.16.4)
===============================================
Total: 72 (UNKNOWN: 0, LOW: 1, MEDIUM: 29, HIGH: 27, CRITICAL: 15)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1          │ CVE-2023-0464  │ HIGH     │ fixed  │ 1.1.1t-r0         │ 1.1.1t-r1        │ Denial of service by excessive resource usage in verifying  │
│                       │                │          │        │                   │                  │ X509 policy constraints...                                  │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-0465  │ MEDIUM   │        │                   │ 1.1.1t-r2        │ Invalid certificate policies in leaf certificates are       │
│                       │                │          │        │                   │                  │ silently ignored                                            │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-2650  │          │        │                   │ 1.1.1u-r0        │ Possible DoS translating ASN.1 object identifiers           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-2650                   │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3446  │          │        │                   │ 1.1.1u-r2        │ Excessive time spent checking DH keys and parameters        │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3817  │          │        │                   │ 1.1.1v-r0        │ Excessive time spent checking DH q parameter value          │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcurl               │ CVE-2023-27533 │ HIGH     │        │ 7.83.1-r6         │ 8.0.1-r0         │ TELNET option IAC injection                                 │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-27533                  │
│                       ├────────────────┤          │        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-27534 │          │        │                   │                  │ SFTP path ~ resolving discrepancy                           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-27534                  │
│                       ├────────────────┤          │        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-28319 │          │        │                   │ 8.1.0-r0         │ use after free in SSH sha256 fingerprint check              │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-ldap             │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-mbstring         │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-openssl          │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-session          │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-simplexml        │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
├───────────────────────┼────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│ php8-xml              │ CVE-2023-3824  │ CRITICAL │        │                   │ 8.0.30-r0        │ phar Buffer mismanagement                                   │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3824                   │
│                       ├────────────────┼──────────┤        │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3823  │ HIGH     │        │                   │                  │ XML loading external entity without being enabled           │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3823                   │
│                       ├────────────────┼──────────┤        │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-3247  │ MEDIUM   │        │                   │ 8.0.29-r0        │ Missing error check and insufficient random bytes in HTTP   │
│                       │                │          │        │                   │                  │ Digest authentication for...                                │
│                       │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-3247                   │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘```

- fixes security issues reported by trivy
@nodiscc nodiscc added security docker containers & cloud labels Sep 20, 2023
@nodiscc nodiscc added this to the 0.13.0 milestone Sep 20, 2023
@nodiscc nodiscc removed the request for review from ArthurHoaro September 21, 2023 12:49
@nodiscc
Copy link
Member Author

nodiscc commented Sep 21, 2023

Error: buildx failed with: ERROR: failed to solve: process "/bin/sh -c rm -rf /etc/php8/php-fpm.d/www.conf     && sed -i 's/post_max_size.*/post_max_size = 10M/' /etc/php8/php.ini     && sed -i 's/upload_max_filesize.*/upload_max_filesize = 10M/' /etc/php8/php.ini" did not complete successfully: exit code: 1

Some file paths might have changed. I will re-check and update this PR accordingly.

@nodiscc nodiscc marked this pull request as draft September 21, 2023 12:49
@nodiscc
Copy link
Member Author

nodiscc commented Oct 3, 2023

(alpine 3.16.4) Total: 72 (UNKNOWN: 0, LOW: 1, MEDIUM: 29, HIGH: 27, CRITICAL: 15)

Actually, these vulnerabilities are present because the Dockerfile specifies FROM alpine:3.16, and 3.16.4 was the latest 3.16 at the time the image was built. Rebuilding the image today would result in alpine:3.16.7 being used as base image, for which these vulnerabilities have been fixed.

So, while upgrading the base image to alpine:3.18 should still be done, the quickest way to get this fixed is to use major.minor.patch in the FROM directive, bump it to 3.16.7, and create a new Shaarli release.

I will provide a PR.

@nodiscc nodiscc self-assigned this Oct 3, 2023
nodiscc added a commit to nodiscc/Shaarli that referenced this pull request Oct 3, 2023
- the previous (0.12.2) release image was based on 3.16.4 since the .patch version was not specified, which shows vulnerabilities when scanned with trivy (shaarli#2019)
@nodiscc
Copy link
Member Author

nodiscc commented Oct 3, 2023

use major.minor.patch in the FROM directive, bump it to 3.16.7

#2024

create a new Shaarli release.

I will do it ASAP.

update base alpine image to v3.18

This can be postponed as long as the 3.16 branch is maintained (https://alpinelinux.org/releases/ -> 2024-05-23). Fixing #1531 will also help ensure that the release image includes the latest alpine security fixes (will provide a PR soon, draft here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docker containers & cloud security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant