Vulnerabilities Issue Within 7.4-fpm-alpine Image

[sanketg86]

We observed there are some vulnerabilities in php image tag 7.4-fpm-alpine

vulnerabilities as below.

php:7.4-fpm-alpine (alpine 3.14.2)
==================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl    | CVE-2021-22945   | CRITICAL | 7.78.0-r0         | 7.79.0-r0     | curl: use-after-free and              |
|         |                  |          |                   |               | double-free in MQTT sending           |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22945 |
+         +------------------+----------+                   +               +---------------------------------------+
|         | CVE-2021-22946   | HIGH     |                   |               | curl: Requirement to use              |
|         |                  |          |                   |               | TLS not properly enforced             |
|         |                  |          |                   |               | for IMAP, POP3, and...                |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22946 |
+         +------------------+----------+                   +               +---------------------------------------+
|         | CVE-2021-22947   | MEDIUM   |                   |               | curl: Server responses                |
|         |                  |          |                   |               | received before STARTTLS              |
|         |                  |          |                   |               | processed after TLS handshake         |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22947 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

We need to re-build and create new image, so curl version will install 7.79.1 and issue will be resolve.

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2021-22945 Since the Debian security team considers it a minor issue it'll get updated in a few weeks on its usual monthly schedule since it was just updated 11 days ago docker-library/official-images#11198 as we strive to update at least monthly but will rebuild earlier if there is a critical security need.

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, #242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

[tianon]

Alpine images just updated in docker-library/official-images#11289, which means all Alpine-based images are currently rebuilding.