-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated alpine and openssl. #672
Conversation
ARG TARGETPLATFORM | ||
LABEL maintainer "Lucas Lorentz <[email protected]>" | ||
|
||
EXPOSE 80 443 2019 | ||
ENV XDG_CONFIG_HOME /config | ||
ENV XDG_DATA_HOME /data | ||
|
||
RUN apk add -U --no-cache ca-certificates curl | ||
RUN apk add -U --no-cache ca-certificates curl openssl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why was openssl
added? Caddy doesn't use OpenSSL at all, it's written in Go which has its own cryptography stack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know why, but it was present inside base image, and docker scout
was complaining that it is outdated version, and simply updating base image didn't help to resolve all complaints. I guess apk
uses openssl
under the hood.
I thought so, that this CVE won't affect caddy, but still annoying to see it in vulnerability report.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather we revert that part. We don't need to install openssl
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought openssl had to be updated because it was already included in alpine and had CVE.
But I just checked and openssl package isn't installed in base alpine image, but lilbssl is.
$ docker run -it --rm --entrypoint apk alpine:3.17.0 -- list
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
musl-1.2.3-r4 aarch64 {musl} (MIT) [installed]
zlib-1.2.13-r0 aarch64 {zlib} (Zlib) [installed]
apk-tools-2.12.10-r1 aarch64 {apk-tools} (GPL-2.0-only) [installed]
busybox-binsh-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
musl-utils-1.2.3-r4 aarch64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
alpine-baselayout-3.4.0-r0 aarch64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 aarch64 {alpine-keys} (MIT) [installed]
libcrypto3-3.0.7-r0 aarch64 {openssl} (Apache-2.0) [installed]
busybox-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
scanelf-1.3.5-r1 aarch64 {pax-utils} (GPL-2.0-only) [installed]
ca-certificates-bundle-20220614-r2 aarch64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r3 aarch64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
ssl_client-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.0-r0 aarch64 {alpine-baselayout} (GPL-2.0-only) [installed]
libssl3-3.0.7-r0 aarch64 {openssl} (Apache-2.0) [installed]
I will revert the openssl part
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR: #673
Explicitly updated openssl as it had CVEs
#671