-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: libUV security issue per docker hub? #34
Comments
@tianon Hi, any idea how to fix this? The alpine version is already correct in the image |
Out of curiosity: Does anyone know why libuv is being installed? The command for that layer is @DarthGandalf Random guess would be to rebuild the image. Somehow remove the relevant base image and cause a rebuild of everything. How are the images build currently? Do you do that locally or is there some automation that I am missing? |
https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions. The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc |
That one seems to be rebuild on each run. Looking at the output of a random recent execution of that:
So, this rebuilds the image on every run.
The readme of that file says about "what are official images":
So, this one will just fix itself, I guess? There is a link in the text, but that doesn't explain things for me and I can't find out what they actually mean. It only says:
So... they will fix this on the next alpine release? |
Every alpine release already have the fixed libuv. That's why I tagged @tianon here - I don't know what we can do on our side. |
Actually, no, only 3.19 has the bad version, I was reading alpine packages wrong. |
See link: https://hub.docker.com/layers/library/znc/latest/images/sha256-9ee87dce4120706eb1da4bbde51224efd1780117177e2e28ab5c72fc32669001?context=repo&tab=vulnerabilities
Looks like libuv needs to be updated from 1.47 to 1.48
The text was updated successfully, but these errors were encountered: