Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated alpine and openssl. #672

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Updated alpine and openssl. #672

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Dockerfile-alpine
100644 → 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
FROM alpine:3.17.0 as alpine
FROM alpine:3.19 as alpine
ARG TARGETPLATFORM
LABEL maintainer "Lucas Lorentz <[email protected]>"

EXPOSE 80 443 2019
ENV XDG_CONFIG_HOME /config
ENV XDG_DATA_HOME /data

RUN apk add -U --no-cache ca-certificates curl
RUN apk add -U --no-cache ca-certificates curl openssl
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was openssl added? Caddy doesn't use OpenSSL at all, it's written in Go which has its own cryptography stack.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why, but it was present inside base image, and docker scout was complaining that it is outdated version, and simply updating base image didn't help to resolve all complaints. I guess apk uses openssl under the hood.

I thought so, that this CVE won't affect caddy, but still annoying to see it in vulnerability report.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather we revert that part. We don't need to install openssl

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought openssl had to be updated because it was already included in alpine and had CVE.
But I just checked and openssl package isn't installed in base alpine image, but lilbssl is.

$ docker run -it --rm --entrypoint apk alpine:3.17.0 -- list
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
musl-1.2.3-r4 aarch64 {musl} (MIT) [installed]
zlib-1.2.13-r0 aarch64 {zlib} (Zlib) [installed]
apk-tools-2.12.10-r1 aarch64 {apk-tools} (GPL-2.0-only) [installed]
busybox-binsh-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
musl-utils-1.2.3-r4 aarch64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
alpine-baselayout-3.4.0-r0 aarch64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 aarch64 {alpine-keys} (MIT) [installed]
libcrypto3-3.0.7-r0 aarch64 {openssl} (Apache-2.0) [installed]
busybox-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
scanelf-1.3.5-r1 aarch64 {pax-utils} (GPL-2.0-only) [installed]
ca-certificates-bundle-20220614-r2 aarch64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r3 aarch64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
ssl_client-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.0-r0 aarch64 {alpine-baselayout} (GPL-2.0-only) [installed]
libssl3-3.0.7-r0 aarch64 {openssl} (Apache-2.0) [installed]

I will revert the openssl part

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR: #673


COPY artifacts/binaries/$TARGETPLATFORM/caddy /bin/

Expand Down