security: libUV security issue per docker hub?

[xgpt]

See link: https://hub.docker.com/layers/library/znc/latest/images/sha256-9ee87dce4120706eb1da4bbde51224efd1780117177e2e28ab5c72fc32669001?context=repo&tab=vulnerabilities

Looks like libuv needs to be updated from 1.47 to 1.48

[DarthGandalf]

@tianon Hi, any idea how to fix this? The alpine version is already correct in the image

[psychon]

Out of curiosity: Does anyone know why libuv is being installed? The command for that layer is apk add --no-cache build-base cmake icu-dev openssl-dev perl python3. I don't have Docker nor alpine around, so I can only check my local Debian testing. There, libuv is a dependency of CMake. That's only a build dependency and not actually used at run time and sounds a lot like that means the libuv bug is a non-issue.

@DarthGandalf Random guess would be to rebuild the image. Somehow remove the relevant base image and cause a rebuild of everything. How are the images build currently? Do you do that locally or is there some automation that I am missing?

[DarthGandalf]

Do you do that locally or is there some automation that I am missing?

https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions. The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc

[psychon]

https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions.

That one seems to be rebuild on each run. Looking at the output of a random recent execution of that:

[...]
#9 [4/7] RUN apk add --no-cache         argon2-libs         boost         build-base         ca-certificates         cmake         cyrus-sasl         gettext         icu-dev         icu-data-full         openssl-dev         perl         python3         su-exec         tini         tzdata
#9 1.152 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
#9 1.557 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
#9 1.808 (1/102) Installing argon2-libs (20190702-r5)
#9 1.835 (2/102) Installing libgcc (13.2.1_git20231014-r0)
#9 1.840 (3/102) Installing libstdc++ (13.2.1_git20231014-r0)
[...]

So, this rebuilds the image on every run.
But libuv does not appear in the build output, so... it was never installed? Dunno.

The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc

The readme of that file says about "what are official images":

Actively rebuild for updates and security fixes

So, this one will just fix itself, I guess? There is a link in the text, but that doesn't explain things for me and I can't find out what they actually mean. It only says:

Tags in the library file are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built). Only what is in the library file will be rebuilt when a base has updates.

So... they will fix this on the next alpine release?

[DarthGandalf]

So... they will fix this on the next alpine release?

Every alpine release already have the fixed libuv.

That's why I tagged @tianon here - I don't know what we can do on our side.

[DarthGandalf]

Actually, no, only 3.19 has the bad version, I was reading alpine packages wrong.