search

caddyserver / caddy-docker

Source for the official Caddy v2 Docker Image
https://hub.docker.com/_/caddy
Apache License 2.0
408 stars 74 forks source link

Latest Alpine release is built with Golang 1.17.2 and has vulnerabilities #219

Closed hi-artem closed 2 years ago

hi-artem commented 2 years ago

Re-opening this issue here:

Latest release is built with golang 1.17.2 and has the following vulnerabilities:

CVE-2021-44716

https://nvd.nist.gov/vuln/detail/CVE-2021-44716

Impacted versions: <1.17.5,1.17 and >=1.17.0,1.17 Discovered: Less than an hour ago Published: 18 days ago net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

CVE-2021-41772

https://nvd.nist.gov/vuln/detail/CVE-2021-41772

Impacted versions: <1.17.3,1.17 and >=1.17.0,1.17 Discovered: Less than an hour ago Published: 72 days ago Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader. Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

CVE-2021-41771

https://nvd.nist.gov/vuln/detail/CVE-2021-41771

Impacted versions: <1.17.3,1.17 and >=1.17.0,1.17 Discovered: Less than an hour ago Published: 72 days ago ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.

hi-artem commented 2 years ago

One way to get around this issue will be restructure the dockerfile to pull from caddy website instead of git. Something like that:

RUN set -eux; \
    wget -O /tmp/caddy "https://caddyserver.com/api/download?os=linux&arch=arm64"; \
    mv /tmp/caddy /usr/bin/caddy; \
    rm -f /tmp/caddy; \
    chmod +x /usr/bin/caddy; \
    caddy version
jrschumacher commented 2 years ago

I was able to ~bypass~ resolve the vulnerabilities with @hi-artem 's approach

### Build Caddy (runs in parallel with previous steps)
FROM alpine:3.15 AS caddy-build

WORKDIR /tmp

RUN set -eux && \
    apk update && \
    # Install openssh and git to which are needed to install npm dependencies
    apk add --no-cache \
        wget=1.21.2-r2 && \
    wget -qO /tmp/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64" && \
    chmod +x /tmp/caddy && \
    /tmp/caddy version

### Serve
FROM scratch AS serve

# Setup non-root user (use a very large uid to avoid users that may have sudo access)
USER 10001

# Copy caddy
COPY --from=caddy-build /tmp/caddy /caddy

# Copy the post-build directory to serve dir (app specific command)
# COPY --from=post-build /app/copy-this /srv

# Copy the caddyfile (my Caddyfile serves /srv)
COPY Caddyfile /Caddyfile

# Use non-privledged port
EXPOSE 8080

CMD ["/caddy", "run", "--config", "/Caddyfile"]
hairyhenderson commented 2 years ago

This will be resolved by the v2.5.0 image - see https://github.com/docker-library/official-images/pull/12305

hairyhenderson commented 2 years ago

(closing this as there's no more action necessary on this)