release a new version to solve curl high CVE

[mvisser-nhb]

curl 8.4 is out on alpine package manager with a fix. https://pkgs.alpinelinux.org/packages?name=curl&branch=edge&repo=&arch=&maintainer=

please do a release of all images with curl version >=7.69

More information about the vulneribility here: https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/

[jamesmehorter]

+1

There were actually two cve patched in 8.4

• https://curl.se/docs/CVE-2023-38545.html (SOCKS5 heap buffer overflow)
• https://curl.se/docs/CVE-2023-38546.html (cookie injection with none file)

[yosifkit]

Yup, already planning on it: https://github.com/docker-library/official-images/pull/15508#issuecomment-1754068543

[mgriego]

hey @yosifkit , it looks like that covers the Debian base images... what about the downstream images? This issue is specifically about the PHP images, which are downstream of the alpine, debian, etc images...? I'm not seeing any updates yet for this one.

[yosifkit]

All images FROM debian will be rebuilt. That's how the official images are designed; every image update causes dependent images to rebuild (which can take some time). You can see the build queue on the Official Images build server: https://doi-janky.infosiftr.net/

[mgriego]

I don't envy that build server........

[tobybellwood]

I may not have looked in the right place, but I can't see an equivalent FROM alpine job running - is that in the schedule for later, or are we better to overpatch ourselves for now, given the load on the build server?

[maxvisser]

I would highly recommend to maybe force update this repo by adding something like:

apk add --no-cache 'curl>=8.4' `# temp version pinning needed for CVE fix` 

I added this to my downstream project. @tobybellwood @mgriego

[maxvisser]

made a PR to fix this ASAP. I see that it is still not triggered @yosifkit https://github.com/docker-library/php/pull/1451

[jamesmehorter]

Why was this closed? The alpine PHP images have not yet been updated?

https://hub.docker.com/_/php/tags?page=1&name=alpine

[jamesmehorter]

@J0WI please advise thank you

I see some new 8.3 images at the link above, and some 8.2 images were updated, but what about all the others?

[LaurentGoderre]

The latest minor versions of all of those were updated with the fix.