alpine 3.20 usage

[JensUweFischer]

alpine v3.20 is released (https://alpinelinux.org/)

currently the python in the alpine images is limited to 3.11.19 (https://pkgs.alpinelinux.org/packages?name=python3&branch=v3.19&repo=&arch=x86_64&maintainer=) which has security issues

if alpine would be updated to v3.20 (https://pkgs.alpinelinux.org/packages?name=python3&branch=v3.20&repo=&arch=x86_64&maintainer=), python3 would be updated to 3.12.3-r1

can we please have the alpine version updated Thanks, Jens

[michaelklishin]

FWIW for RabbitMQ 4.0 it was decided to go with Alpine 3.20 (https://github.com/docker-library/rabbitmq/issues/712).

Whether this kind of a jump would be reasonable for 3.13, I am not in a position to tell but I'd say we should try to use the latest and greatest base operating system images, if anything, for easily available and timely security updates they receive.

[tianon]

I can't think of any good reasons not to update 👍

[butlermd]

I'm also seeing the security issues @JensUweFischer mentioned. I created #718 to resolve this.

[tianon]

I agree we should update, but can you elaborate on "the security issues" ? There are no package updates available in the current Alpine-based images (and Alpine is pretty active at fixing security issues, even in 3.19 and all the way down to 3.17 still):

$ docker run -it --rm --pull=always rabbitmq:alpine sh
alpine: Pulling from library/rabbitmq
Digest: sha256:aca89010eb1892720642c061530926725cd59cc92a55a017b1561469a674b22a
Status: Image is up to date for rabbitmq:alpine
/ # apk list --no-cache --upgradeable
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
/ # 

[JensUweFischer]

I agree we should update, but can you elaborate on "the security issues" ? There are no package updates available in the current Alpine-based images (and Alpine is pretty active at fixing security issues, even in 3.19 and all the way down to 3.17 still):

$ docker run -it --rm --pull=always rabbitmq:alpine sh
alpine: Pulling from library/rabbitmq
Digest: sha256:aca89010eb1892720642c061530926725cd59cc92a55a017b1561469a674b22a
Status: Image is up to date for rabbitmq:alpine
/ # apk list --no-cache --upgradeable
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
/ # 

1) yes, you are doing a good job providing upgraded v3.19 images 2) yes, there are no package updates available in the current v3.19 Alpine-based images

but: even when python3 (3.11.9-r0) is not upgradable in v3.19 "https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz" to 3.12.3-r1 (https://pkgs.alpinelinux.org/packages?name=python3&branch=v3.20&repo=&arch=x86_64&maintainer=) In v3.20 :"https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz" it is available 3.12.3-r1 (https://pkgs.alpinelinux.org/packages?name=python3&branch=v3.20&repo=&arch=x86_64&maintainer=)

Background informations: in https://github.com/docker-library/rabbitmq/blob/master/Dockerfile-alpine.template FROM alpine:{{ .alpine.version }} as build-base which evaluates to FROM alpine:3.19 as build-base

that base image brings a /etc/apk/repositories which specifies

https://dl-cdn.alpinelinux.org/alpine/v3.19/main
https://dl-cdn.alpinelinux.org/alpine/v3.19/community

this file /etc/apk/repositories exists in your derived image and results in

fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz

whenever alpine wants to get the "relevant" latest APKINDEX.tar.gz

in the alpine:3.20 base image the file /etc/apk/repositories contains

https://dl-cdn.alpinelinux.org/alpine/v3.20/main
https://dl-cdn.alpinelinux.org/alpine/v3.20/community

If you are realy interested in the security fixes in python3 (which i don't think) then you may look them up at https://docs.python.org/3/whatsnew/changelog.html 3.11.9 is currently included in the rabbitmq image, everything fixed later is attackable

[butlermd]

My issue is that in 3.19 py3-cryptography is only available up to 41.0.7-r0 with two CVEs (CVE-2024-26130 and CVE-2023-50782) fixed in 42.x.

Snyk doesn't flag them on the container when I look in docker hub, but I've seen that many times.

[tianon]

A few things worth clarifying:

Version numbers between releases of Alpine are generally unrelated and uncomparable (except the major/upstream version portion, which is often supplemented with explicit security patch backports). For example, a version 1.2.3-r4 in 3.19 and 1.2.3-r4 in 3.20 are only related in that they both represent some form of a 1.2.3 upstream release, not necessarily the same -r4.

Python 3.12.3 is not more secure or more up-to-date than 3.11.9 -- both Python 3.12 and Python 3.11 are actively supported and maintained and receive security updates (just like Alpine 3.19 does). In fact, 3.11.9 is the latest release in the 3.11 series, where 3.12.3 is two patch versions behind the 3.12 latest (3.12.5). See also https://docs.python.org/3.11/whatsnew/changelog.html

The CVE list on Docker Hub is not provided by Snyk but by Docker Scout (which uses a different engine for matching CVEs that's more careful about false positives than previous solutions on Hub have been and than most other tools are). If it's missing CVEs that you believe apply, I'm sure that team would be very keen to receive those reports.

[tianon]

(Closing as fixed via https://github.com/docker-library/rabbitmq/pull/718)