Skip to content

Use alpine:3.6 base image #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Use alpine:3.6 base image #176

wants to merge 2 commits into from

Conversation

marians
Copy link

@marians marians commented Jun 9, 2017

marians added 2 commits June 9, 2017 10:11
@marians
Changing base image from alpine:3.5 to alpine:3.6
ca336a2 
Due to security vulnerabilities in 3.5 (zlib)
@marians
Trigger build
436559b
@yosifkit
Copy link
Contributor

yosifkit commented Jun 9, 2017

Having CVE "vulnerabilities" does not mean it is actually usefully vulnerable. On all 4 cves you link both RedHat Security and Debian Security have marked it as a "minor issue". RedHat marked zlib as "will not fix" on RHEL 5, 6, and 7; while Debian has at least fixed stretch/testing (which is still a pre-release anyway). Alpine 3.6 was released in the last couple weeks so it could apply the fix before a snapshot release.

That said, I think the Nginx maintainer likes to only do major changes (like an OS bump) when there is a version bump of Nginx as well.

@marians
Copy link
Author

marians commented Jun 12, 2017

Thanks for the insight! It appears to me as if the bump from 3.4 to 3.5 has also been made without an nginx version change. See #136

@thresheek
Copy link
Member

#136 was done on nginx version change - from 1.10/1.11 to 1.12/1.13.. That being said, are those CVEs really there in 3.5? Maybe they're patched out?

@yosifkit yosifkit mentioned this pull request Jun 22, 2017
Closed
@romdim
Copy link

romdim commented Jul 8, 2017

Hello there! Is there a reason why you always wait for the next version of nginx/ruby/... in order to upgrade the os version as well? Because I don't get why it should be like that.

@morganchristiansson
Copy link

All nginx docker images are showing up as vulnerable in the docker security scanner

https://hub.docker.com/r/library/nginx/tags/

@morganchristiansson morganchristiansson mentioned this pull request Jul 11, 2017
Closed
@zyrill
Copy link

zyrill commented Aug 17, 2017

If you don't want to wait for them to update the official images, here's the Dockerfile code changes required for moving to alpine v3.6: https://github.com/zyrill/docker-nginx/commit/45860be26a33b7a69130f766db8de34ae85a8a8a
Going to v1.13.4 on nginx is trivial, too: https://github.com/zyrill/docker-nginx/commit/11583294b5e5a5fafe100fd214e2b0eff03dc681

@thresheek
Copy link
Member

AFAICT there are no zlib vulnerabilites at the moment present in mainline:alpine images: https://hub.docker.com/r/library/nginx/tags/1.13.3-alpine/
Hopefully there will be even less when 1.13.4 is pushed - which is why I don't see a reason to jump to 3.6 right now.

@thresheek thresheek closed this Aug 22, 2017
@marians marians deleted the alpine-3-6 branch March 1, 2018 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@marians @yosifkit @thresheek @romdim @morganchristiansson @zyrill