Closed RedrootDEV closed 1 year ago
Hi @redr00t, thanks for reporting this.
for completeness, the screenshot comes from the tag view in DockerHub, like this one: https://hub.docker.com/layers/library/caddy/builder-alpine/images/sha256-4fa7d446d8f18e37cec1fe9b3b9a1e0e93807a3b06dc57ec020888c11d21cf93?context=explore
I'll look into this.
@hairyhenderson Do You have any more insights or info?
These are coming from the xcaddy
binary, which was built with an older Go binary. It should be re-built with 1.20.3. Same goes for the caddy
binary.
@mholt do you know when the next release of xcaddy
is happening?
How 'bout now? :grin:
v0.3.3 should be releasing now :crossed_fingers:
Hi all,
Should this have been resolved by v0.3.3
of xcaddy
?
The version of stdlib
is now 1.20
(different from the original screenshot from @redr00t) but Docker Hub is still reporting CVEs, one with a score of 9.8 in stdlib 😞
@dbrennand You're looking at a different tag from the original (latest
, vs builder-alpine
).
As I mentioned in an earlier comment, both xcaddy
and caddy
needed to be re-built with Go 1.20.3+. There's a new Caddy beta available (2.7.0-beta.1
) that you can try out - it scans clean:
Given that this issue was for the builder image originally, I'm going to close it.
All Caddy images in docker have the following vulnerabilities: Is it a false positive or should I really worry about it?