Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade (5) vulnerable packages in nginx:mainline-alpine #960

Open
JaneX8 opened this issue Jan 8, 2025 · 1 comment
Open

Upgrade (5) vulnerable packages in nginx:mainline-alpine #960

JaneX8 opened this issue Jan 8, 2025 · 1 comment

Comments

@JaneX8
Copy link

JaneX8 commented Jan 8, 2025

Can we please upgrade below vulnerable packages in the nginx:mainline-alpine? Most of the listed vulnerable packages have fixes available (see column 'FIXED-IN'). I scanned the image with https://github.com/anchore/grype.

grype.exe nginx:mainline-alpine
 ✔ Loaded image                                                                                                                                                                                                                                                                                       nginx:mainline-alpine
 ✔ Parsed image                                                                                                                                                                                                                                     sha256:c7b4f26a7d93f4f1f276c51adb03ef0df54a82de89f254a9aec5c18bf0e45ee9
 ✔ Cataloged contents                                                                                                                                                                                                                                      f102ec2b6ec24f0b6fec157468b4dc0e63f35fdecbf64c5140a0abee95a5932e
   ├── ✔ Packages                        [66 packages]
   ├── ✔ File digests                    [969 files]
   ├── ✔ File metadata                   [969 locations]
   └── ✔ Executables                     [123 executables]
 ✔ Scanned for vulnerabilities     [13 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 9 medium, 3 low, 0 negligible
   └── by status:   9 fixed, 4 not-fixed, 0 ignored
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY
curl        8.9.1-r1   8.11.0-r0  apk   CVE-2024-9681   Medium
curl        8.9.1-r1   8.10.0-r0  apk   CVE-2024-8096   Medium
curl        8.9.1-r1   8.11.1-r0  apk   CVE-2024-11053  Low
libcrypto3  3.3.2-r0   3.3.2-r1   apk   CVE-2024-9143   Medium
libcurl     8.9.1-r1   8.11.0-r0  apk   CVE-2024-9681   Medium
libcurl     8.9.1-r1   8.10.0-r0  apk   CVE-2024-8096   Medium
libcurl     8.9.1-r1   8.11.1-r0  apk   CVE-2024-11053  Low
libexpat    2.6.3-r0   2.6.4-r0   apk   CVE-2024-50602  Medium
libssl3     3.3.2-r0   3.3.2-r1   apk   CVE-2024-9143   Medium
tiff        4.6.0t-r0             apk   CVE-2023-52356  High
tiff        4.6.0t-r0             apk   CVE-2023-6277   Medium
tiff        4.6.0t-r0             apk   CVE-2015-7313   Medium
tiff        4.6.0t-r0             apk   CVE-2023-6228   Low
@JaneX8 JaneX8 changed the title Upgrade (9) vulnerable packages in nginx:mainline-alpine Upgrade (5) vulnerable packages in nginx:mainline-alpine Jan 8, 2025
@thresheek
Copy link
Collaborator

Hi @JaneX8,

It seems like the current images are indeed rebuilt with the packages mentioned in the "FIXED-IN" column. At least that's what I see in the current aarch64 image.

I suppose they were rebuilt because a new Alpine release was out: docker-library/official-images#18206 - and that's how it's typically done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thresheek @JaneX8