Alpine 3.20 images now available

[lbussell]

Alpine 3.20 images now available

Alpine 3.20 container images have been released for all in-support and preview .NET versions.

The following repos have been updated:

• dotnet/sdk - Microsoft Artifact Registry
• dotnet/aspnet - Microsoft Artifact Registry
• dotnet/runtime - Microsoft Artifact Registry
• dotnet/runtime-deps - Microsoft Artifact Registry

Details

Alpine 3.20 is available via fixed-version tags (e.g. 8.0-alpine3.20) for in-support .NET versions.

As stated in the supported tag policy, Alpine floating tags for .NET 6.0 and 8.0 (e.g. 8.0-alpine) will continue to reference Alpine 3.19 until the next servicing release in July 2024.

At that time, the Alpine floating tags will be updated to reference Alpine 3.20.

[ChaosEngine]

ATM there is vulnerability reported by Anchore grype tool and docker itself: CVE-2024-5535

AFAIK all alpine base images are affected by some libcrypto3, libssl3 vulnerability:

$ grype mcr.microsoft.com/dotnet/sdk:8.0-alpine
✔ Vulnerability DB [no update available]
✔ Loaded image mcr.microsoft.com/dotnet/sdk:8.0-alpine
✔ Parsed image sha256:b11cdb741756c274313c967bbbdd97f1a6912b7162cfa2fd6865f04f460b6337
✔ Cataloged packages [3817 packages]
✔ Scanned for vulnerabilities [9 vulnerability matches]
├── by severity: 2 critical, 1 high, 2 medium, 1 low, 0 negligible (3 unknown)
└── by status: 4 fixed, 5 not-fixed, 0 ignored
[0010] WARN cataloger failed cataloger=sbom-cataloger error=sbom format not recognized location=/usr/share/powershell/.store/powershell.linux.alpine/7.4.3/powershell.linux.alpine/7.4.3/too
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
curl 8.5.0-r0 apk CVE-2024-2398 High
curl 8.5.0-r0 apk CVE-2024-0853 Medium
curl 8.5.0-r0 apk CVE-2024-2004 Low
curl 8.5.0-r0 apk CVE-2024-2466 Unknown
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
nghttp2-libs 1.58.0-r0 apk CVE-2024-28182 Medium

[lbussell]

@ChaosEngine, thanks for the report. All .NET Alpine images have been re-built. See #5653 (comment).

[richlander]

I just validated that a rebuild fixes this.

@lbussell @mthalman -- Can we kick off a rebuild of all Alpine images?

[lbussell]

I have already queued the build for this - it should be finished publishing shortly.

Related: #5653

[IbrahimAlshorafah]

alpine 3.20.1 is already here is there a plan to add .. there are a few medium busybox vulnerabilities fixes on it

[mthalman]

It's past 3.20.1 already. It's on 3.20.2:

$ docker run --rm mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine3.20 cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

[gfaraj]

Is there a fix for CVE-2024-4741 for the debian images?