Updated alpine and openssl. #672
Conversation
Mart-Bogdan
changed the title
| ARG TARGETPLATFORM | ||
| LABEL maintainer "Lucas Lorentz <[email protected]>" | ||
|
|
||
| EXPOSE 80 443 2019 | ||
| ENV XDG_CONFIG_HOME /config | ||
| ENV XDG_DATA_HOME /data | ||
|
|
||
| RUN apk add -U --no-cache ca-certificates curl | ||
| RUN apk add -U --no-cache ca-certificates curl openssl |
There was a problem hiding this comment.
Why was openssl added? Caddy doesn't use OpenSSL at all, it's written in Go which has its own cryptography stack.
There was a problem hiding this comment.
I don't know why, but it was present inside base image, and docker scout was complaining that it is outdated version, and simply updating base image didn't help to resolve all complaints. I guess apk uses openssl under the hood.
I thought so, that this CVE won't affect caddy, but still annoying to see it in vulnerability report.
There was a problem hiding this comment.
I'd rather we revert that part. We don't need to install openssl
There was a problem hiding this comment.
I thought openssl had to be updated because it was already included in alpine and had CVE.
But I just checked and openssl package isn't installed in base alpine image, but lilbssl is.
$ docker run -it --rm --entrypoint apk alpine:3.17.0 -- list
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
musl-1.2.3-r4 aarch64 {musl} (MIT) [installed]
zlib-1.2.13-r0 aarch64 {zlib} (Zlib) [installed]
apk-tools-2.12.10-r1 aarch64 {apk-tools} (GPL-2.0-only) [installed]
busybox-binsh-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
musl-utils-1.2.3-r4 aarch64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
alpine-baselayout-3.4.0-r0 aarch64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 aarch64 {alpine-keys} (MIT) [installed]
libcrypto3-3.0.7-r0 aarch64 {openssl} (Apache-2.0) [installed]
busybox-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
scanelf-1.3.5-r1 aarch64 {pax-utils} (GPL-2.0-only) [installed]
ca-certificates-bundle-20220614-r2 aarch64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r3 aarch64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
ssl_client-1.35.0-r29 aarch64 {busybox} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.0-r0 aarch64 {alpine-baselayout} (GPL-2.0-only) [installed]
libssl3-3.0.7-r0 aarch64 {openssl} (Apache-2.0) [installed]
I will revert the openssl part
Explicitly updated openssl as it had CVEs
#671