docker-library / php

Docker Official Image packaging for PHP
https://php.net
MIT License
3.84k stars 2k forks source link

hf: curl version pin to 8.4 to fix CVE-2023-38545 and CVE-2023-38546 #1449 #1451

Closed maxvisser closed 1 year ago

maxvisser commented 1 year ago

version pin curl to fix #1449

I didn't see that the alpine images where pushed already. This will force everything to upgrade to atleast version 8.4

based upon this schema, all alpine version allow for 8.4 to be added from the alpine repository: https://security.alpinelinux.org/srcpkg/curl

LaurentGoderre commented 1 year ago

We don't need to do these kind of updates manually like this. The fixes to the underlying OS get propagated.

yosifkit commented 1 year ago

This was addressed by rebuilding:


$ docker pull php:alpine
/usr/bin/docker-credential-desktop.exe: Invalid argument
alpine: Pulling from library/php
96526aa774ef: Already exists
61eb5622fa41: Pull complete
587160738cca: Pull complete
802431d360de: Pull complete
5db1ff5740b7: Pull complete
204a832fc655: Pull complete
867a5d91eaf5: Pull complete
851d1ebc1b2d: Pull complete
641f4f326175: Pull complete
Digest: sha256:403361a17e469f6069eef76a1ed1b55cc891aece27f934af9285e78b1f225938
Status: Downloaded newer image for php:alpine
docker.io/library/php:alpine
$ docker run -it --rm php:alpine sh
/ # apk info curl
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
curl-8.4.0-r0 description:
URL retrival utility and library

curl-8.4.0-r0 webpage:
https://curl.se/

curl-8.4.0-r0 installed size:
248 KiB