Current Alpine image contains 2 high severity CVEs #66
Comments
wglambert
added
the
question
|
CVE-2021-30139 is fixed with apk-tools 2.12.5-r0 CVE-2021-28831 is fixed with busybox 1.32.1-r4 Which the image has, and is currently up to date with every available package $ docker run -it --rm --user root memcached:alpine ash
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
v3.13.5-92-gaf6c01c653 [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
v3.13.5-95-g640af164dc [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
OK: 13888 distinct packages available
/ # apk list --upgradeable
/ # apk list | grep apk-tools-2.12.5
apk-tools-2.12.5-r0 x86_64 {apk-tools} (GPL-2.0-only) [installed]
/ # apk list | grep busybox-1.32.1
busybox-1.32.1-r6 x86_64 {busybox} (GPL-2.0-only) [installed]See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images). |
|
Thanks! I got confused as I didn't see an update to the repo in a while. Apologies for the noise. Closing |
|
Yeah if you look at the specific tags on Dockerhub it'll show when they were last updated. So for the Alpine variant it was on April 14 |
https://alpinelinux.org/posts/Alpine-3.13.5-released.html
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606
https://alpinelinux.org/posts/Alpine-3.13.4-released.html
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12566
The text was updated successfully, but these errors were encountered: