Closed cameronwaterman closed 2 years ago
ncopa
commented
2 years ago The Alpine Linux base image does not include freetype, regenerating a new image will not change anything.
You need to find the docker image that introduces freetype and regenerate that.
arunsai271
commented
2 years ago @ncopa Sorry! Have not understood your comment. Can you please elaborate?
I'm currently using a alpine:3.15.4 base image in my container, After doing apk update able to see freetype-2.11.1-r1 package in the container. Now when trying to upgrade, It cannot get upgrade to freetype-2.12.1-r0 and showing the below error message and the ideal case should be either upgradable to 2.12 version or alpine new version base image should be provided which supports freetype-2.12.1-r0 version. Please correct me if am wrong and I believe a new image from alpine should be released which supports freetype 2.12 version like @cameronwaterman said.
From this link [https://repology.org/project/freetype/versions], We can view alpine latest 3.15.4 verison supports upto freetype 2.11 version.
Data:
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.15.4
PRETTY_NAME="Alpine Linux v3.15"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"/ # apk search | grep freetype
freetype-2.11.1-r1
freetype-dev-2.11.1-r1
freetype-doc-2.11.1-r1
freetype-static-2.11.1-r1
/ #When trying to upgrade:
/ # apk add freetype=2.12.1-r0
ERROR: unable to select packages:
freetype-2.11.1-r1:
breaks: world[freetype=2.12.1-r0]What I am saying is that it is not the alpine base image the pulls in freetype.
Try apk upgrade -U -a.
arunsai271
commented
2 years ago Tried the command, but still same version exists. I use openjdk8-jre-alpine and it needs freetype as it's internal dependency and when i try to upgrade openjdk8-jre is able to syncup with freetype 2.12 but the OS level it breaks i guess. Please find the below:
/ # apk add freetype=2.12.1-r0
ERROR: unable to select packages:
freetype-2.11.1-r1:
breaks: world[freetype=2.12.1-r0]
satisfies: openjdk8-jre-8.302.08-r2[so:libfreetype.so.6] fontconfig-2.13.1-r4[so:libfreetype.so.6] mkfontscale-1.2.1-r1[so:libfreetype.so.6]/ # apk upgrade -U -a
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
OK: 6 MiB in 14 packages
/ # apk search | grep freetype
freetype-2.11.1-r1
freetype-dev-2.11.1-r1
freetype-doc-2.11.1-r1
freetype-static-2.11.1-r1See even here it is mentioned that alpine 3.15.4 supports upto 2.11 version. Please find below snapshot
Link: https://repology.org/project/freetype/versions
ncopa
commented
2 years ago Ok. I now understand what's going on. You need to ask whoever created openjdk8-jre-alpine to rebuild their image.
And for the record, repology is wrong. The link you referred to https://git.alpinelinux.org/aports/commit/?id=08c9eeb1e3aee1adc8c3407f29630073aef5c5e3 shows that we back ported the fix for 2.11.1 instead of upgrading to 2.12.1. So if you have freetype-2.11.1-r1 you are not vulnerable. The -r1 revision has the fix.
The latest Alpine image (3.15.4) contains freetype 2.11.1. A critical CVE exists for this dependency. A fix was submitted to upgrade this dependency. A new docker image will need to be created, it is not clear to me what the process is for requesting a new image be created.
https://gitlab.alpinelinux.org/alpine/aports/-/commit/08c9eeb1e3aee1adc8c3407f29630073aef5c5e3 https://gitlab.alpinelinux.org/alpine/aports/-/commit/a11d8db7bb9baefb69a268bba661728ece1f1caa