Closed mig5 closed 11 months ago
drwetter
commented
11 months ago Hi @mig5,
thanks for pointing this out. Reminds me that sometime back I thought the best would be a trivy check in CI. Did that manually now though (CVE DB is recent):
In fact the curl release date sounds fishy though. One possibility would be to clarify the package from the vendor in the repo or rpm -qi the package in the container. Probably in the first stage.
I'll get back later on this
drwetter
commented
11 months ago TL;DR: curl in the docker images wasn't designed to accept socks5 proxy commands and in fact does not do so
Quick look at the code: The arguments for curl in testssl.sh are partly user determinable only: It depends solely on the PROXYIP variable whose input in turn is being strongly validated:
Despite that it can't hurt to look at the image and find out why curl probably hasn't been updated.
drwetter
commented
11 months ago A Leap 15.4 system (no container) looked like it was patched ~a week ago:
The leap image from the repo however is not up to date. That would be no problem but... Normally the build process of the image should make sure that updates are installed and @polarathene did the right thing. However I am not sure whether it works as designed:
/tmp sudo docker run -ti --rm opensuse/leap:15.4 /bin/bash
Unable to find image 'opensuse/leap:15.4' locally
15.4: Pulling from opensuse/leap
d84d5ad6cdb3: Pull complete
Digest: sha256:f32cf0182e23508fbc093c9a75e541209dc19df40b1104bc42783814e9e1b275
Status: Downloaded newer image for opensuse/leap:15.4Now comes the first zypper command from Dockerfile (leaving out the options):
5ba3cf72b69f:/ # zypper --gpg-auto-import-keys refresh
Retrieving repository 'Update repository of openSUSE Backports' metadata .........................................................................................................[done]
Building repository 'Update repository of openSUSE Backports' cache ..............................................................................................................[done]
Retrieving repository 'Non-OSS Repository' metadata ---------------------------------------------------------------------------------------------------------------------------------[/]
Note: Received 1 new package signing key from repository "Non-OSS Repository":
Those additional keys are usually used to sign packages shipped by the repository. In order to
validate those packages upon download and installation the new keys will be imported into the rpm
database.
New:
Key Fingerprint: 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
Key Name: SuSE Package Signing Key <build@suse.de>
Key Algorithm: RSA 1024
Key Created: Thu Mar 15 15:26:29 2018
Key Expires: Mon Mar 14 15:26:29 2022 (EXPIRED)
Rpm Name: gpg-pubkey-307e3d54-5aaa90a5
The repository metadata introducing the new keys have been signed and validated by the trusted
key:
Repository: Non-OSS Repository
Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Key Name: openSUSE Project Signing Key <opensuse@opensuse.org>
Key Algorithm: RSA 2048
Key Created: Mon May 5 08:37:40 2014
Key Expires: Thu May 2 08:37:40 2024
Rpm Name: gpg-pubkey-3dbdc284-53674dd4
Retrieving repository 'Non-OSS Repository' metadata ..............................................................................................................................[done]
Building repository 'Non-OSS Repository' cache ...................................................................................................................................[done]
Retrieving repository 'Main Repository' metadata .................................................................................................................................[done]
Building repository 'Main Repository' cache ......................................................................................................................................[done]
Retrieving repository 'Update repository with updates from SUSE Linux Enterprise 15' metadata ....................................................................................[done]
Building repository 'Update repository with updates from SUSE Linux Enterprise 15' cache .........................................................................................[done]
Retrieving repository 'Main Update Repository' metadata ..........................................................................................................................[done]
Building repository 'Main Update Repository' cache ...............................................................................................................................[done]
Retrieving repository 'Update Repository (Non-Oss)' metadata .....................................................................................................................[done]
Building repository 'Update Repository (Non-Oss)' cache ..........................................................................................................................[done]
All repositories have been refreshed.From the repo it's old:
5ba3cf72b69f:/ # rpm -qi curl | grep -Ei 'install|build'
Install Date: Tue Jul 25 10:12:26 2023
Build Date : Wed Jul 12 13:41:46 2023
Build Host : goat35Here comes the install command as in the Dockerfile which waits for a prompt despite --non-interactive install
5ba3cf72b69f:/ # zypper --non-interactive install --download-in-advance --no-recommends bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl
Loading repository data...
Reading installed packages...
'coreutils' is already installed.
No update candidate for 'coreutils-8.32-150400.7.5.x86_64'. The highest available version is already installed.
'grep' is already installed.
No update candidate for 'grep-3.1-150000.4.6.1.x86_64'. The highest available version is already installed.
'bash' is already installed.
No update candidate for 'bash-4.4-150400.25.22.x86_64'. The highest available version is already installed.
'sed' is already installed.
No update candidate for 'sed-4.4-11.6.x86_64'. The highest available version is already installed.
'libidn2-0' is already installed.
No update candidate for 'libidn2-0-2.2.0-3.6.1.x86_64'. The highest available version is already installed.
Resolving package dependencies...
Problem: the to be installed busybox-util-linux-1.35.0-150400.4.5.1.noarch conflicts with 'util-linux' provided by the installed util-linux-2.37.2-150400.8.17.1.x86_64
Solution 1: deinstallation of util-linux-2.37.2-150400.8.17.1.x86_64
Solution 2: do not install busybox-util-linux-1.35.0-150400.4.5.1.noarch
Choose from above solutions by number or cancel [1/2/c/d/?] (c): c
5ba3cf72b69f:/ # All is fine if one just allows deinstallation of util-linux:
5ba3cf72b69f:/ # zypper install --download-in-advance --no-recommends bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl
Loading repository data...
Reading installed packages...
'coreutils' is already installed.
No update candidate for 'coreutils-8.32-150400.7.5.x86_64'. The highest available version is already installed.
'grep' is already installed.
No update candidate for 'grep-3.1-150000.4.6.1.x86_64'. The highest available version is already installed.
'bash' is already installed.
No update candidate for 'bash-4.4-150400.25.22.x86_64'. The highest available version is already installed.
'sed' is already installed.
No update candidate for 'sed-4.4-11.6.x86_64'. The highest available version is already installed.
'libidn2-0' is already installed.
No update candidate for 'libidn2-0-2.2.0-3.6.1.x86_64'. The highest available version is already installed.
Resolving package dependencies...
Problem: the to be installed busybox-util-linux-1.35.0-150400.4.5.1.noarch conflicts with 'util-linux' provided by the installed util-linux-2.37.2-150400.8.17.1.x86_64
Solution 1: deinstallation of util-linux-2.37.2-150400.8.17.1.x86_64
Solution 2: do not install busybox-util-linux-1.35.0-150400.4.5.1.noarch
Choose from above solutions by number or cancel [1/2/c/d/?] (c): 1
Resolving dependencies...
Resolving package dependencies...
The following 4 packages are going to be upgraded:
curl gawk libprocps7 procps
The following 12 NEW packages are going to be installed:
busybox busybox-util-linux busybox-vi ldns libdbus-1-3 libldns2 libnl-config libnl3-200 libpcap1 libwrap0 openssl socat
The following package is going to be REMOVED:
util-linux
4 packages to upgrade, 12 new, 1 to remove.
Overall download size: 3.8 MiB. Already cached: 0 B. After the operation, 1.1 MiB will be freed.
Continue? [y/n/v/...? shows all options] (y):
Retrieving: libnl-config-3.3.0-1.29.noarch (Main Repository) (1/16), 14.4 KiB
Retrieving: libnl-config-3.3.0-1.29.noarch.rpm ...................................................................................................................................[done]
Retrieving: libwrap0-7.6-1.433.x86_64 (Main Repository) (2/16), 24.6 KiB
Retrieving: libwrap0-7.6-1.433.x86_64.rpm ........................................................................................................................................[done]
Retrieving: openssl-1.1.1l-150400.1.5.noarch (Main Repository) (3/16), 25.7 KiB
Retrieving: openssl-1.1.1l-150400.1.5.noarch.rpm .................................................................................................................................[done]
Retrieving: libnl3-200-3.3.0-1.29.x86_64 (Main Repository) (4/16), 277.6 KiB
Retrieving: libnl3-200-3.3.0-1.29.x86_64.rpm .....................................................................................................................................[done]
Retrieving: socat-1.7.3.2-4.10.x86_64 (Main Repository) (5/16), 227.4 KiB
Retrieving: socat-1.7.3.2-4.10.x86_64.rpm ..........................................................................................................................[done (304.9 KiB/s)]
Retrieving: busybox-1.35.0-150400.3.11.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (6/16), 601.4 KiB
Retrieving: busybox-1.35.0-150400.3.11.1.x86_64.rpm ..................................................................................................................[done (1.8 MiB/s)]
Retrieving: curl-8.0.1-150400.5.32.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (7/16), 548.9 KiB
Retrieving: curl-8.0.1-150400.5.32.1.x86_64.rpm ......................................................................................................................[done (5.4 MiB/s)]
Retrieving: gawk-4.2.1-150000.3.3.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (8/16), 1.2 MiB
Retrieving: gawk-4.2.1-150000.3.3.1.x86_64.rpm .......................................................................................................................[done (5.5 MiB/s)]
Retrieving: libdbus-1-3-1.12.2-150400.18.8.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (9/16), 151.4 KiB
Retrieving: libdbus-1-3-1.12.2-150400.18.8.1.x86_64.rpm ..............................................................................................................[done (2.7 KiB/s)]
Retrieving: libldns2-1.7.0-150000.4.8.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (10/16), 142.4 KiB
Retrieving: libldns2-1.7.0-150000.4.8.1.x86_64.rpm ...............................................................................................................................[done]
Retrieving: libprocps7-3.3.15-150000.7.34.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (11/16), 52.0 KiB
Retrieving: libprocps7-3.3.15-150000.7.34.1.x86_64.rpm ...........................................................................................................................[done]
Retrieving: busybox-vi-1.35.0-150400.4.5.1.noarch (Update repository with updates from SUSE Linux Enterprise 15) (12/16), 10.4 KiB
Retrieving: busybox-vi-1.35.0-150400.4.5.1.noarch.rpm ............................................................................................................................[done]
Retrieving: busybox-util-linux-1.35.0-150400.4.5.1.noarch (Update repository with updates from SUSE Linux Enterprise 15) (13/16), 14.3 KiB
Retrieving: busybox-util-linux-1.35.0-150400.4.5.1.noarch.rpm ....................................................................................................................[done]
Retrieving: procps-3.3.15-150000.7.34.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (14/16), 258.8 KiB
Retrieving: procps-3.3.15-150000.7.34.1.x86_64.rpm ...................................................................................................................[done (2.6 KiB/s)]
Retrieving: libpcap1-1.10.1-150400.1.7.x86_64 (Main Repository) (15/16), 163.6 KiB
Retrieving: libpcap1-1.10.1-150400.1.7.x86_64.rpm ..................................................................................................................[done (542.8 KiB/s)]
Retrieving: ldns-1.7.0-150000.4.8.1.x86_64 (Update repository with updates from SUSE Linux Enterprise 15) (16/16), 161.9 KiB
Retrieving: ldns-1.7.0-150000.4.8.1.x86_64.rpm .......................................................................................................................[done (1.5 MiB/s)]
Checking for file conflicts: .....................................................................................................................................................[done]
( 1/17) Removing util-linux-2.37.2-150400.8.17.1.x86_64 ..........................................................................................................................[done]
( 2/17) Installing: libnl-config-3.3.0-1.29.noarch ...............................................................................................................................[done]
( 3/17) Installing: libwrap0-7.6-1.433.x86_64 ....................................................................................................................................[done]
( 4/17) Installing: openssl-1.1.1l-150400.1.5.noarch .............................................................................................................................[done]
( 5/17) Installing: libnl3-200-3.3.0-1.29.x86_64 .................................................................................................................................[done]
( 6/17) Installing: socat-1.7.3.2-4.10.x86_64 ....................................................................................................................................[done]
( 7/17) Installing: busybox-1.35.0-150400.3.11.1.x86_64 ..........................................................................................................................[done]
( 8/17) Installing: curl-8.0.1-150400.5.32.1.x86_64 ..............................................................................................................................[done]
update-alternatives: warning: forcing reinstallation of alternative /usr/bin/gawk because link group awk is broken
( 9/17) Installing: gawk-4.2.1-150000.3.3.1.x86_64 ...............................................................................................................................[done]
(10/17) Installing: libdbus-1-3-1.12.2-150400.18.8.1.x86_64 ......................................................................................................................[done]
(11/17) Installing: libldns2-1.7.0-150000.4.8.1.x86_64 ...........................................................................................................................[done]
(12/17) Installing: libprocps7-3.3.15-150000.7.34.1.x86_64 .......................................................................................................................[done]
(13/17) Installing: busybox-vi-1.35.0-150400.4.5.1.noarch ........................................................................................................................[done]
(14/17) Installing: busybox-util-linux-1.35.0-150400.4.5.1.noarch ................................................................................................................[done]
(15/17) Installing: procps-3.3.15-150000.7.34.1.x86_64 ...........................................................................................................................[done]
(16/17) Installing: libpcap1-1.10.1-150400.1.7.x86_64 ............................................................................................................................[done]
(17/17) Installing: ldns-1.7.0-150000.4.8.1.x86_64 ...............................................................................................................................[done]
5ba3cf72b69f:/ #@polarathene : can we just remove util-linux w/o affecting the image?
drwetter
commented
11 months ago Also it looks to me like the EOL date is immanent:
I would just switch to 15.5 .
mig5
commented
11 months ago A Leap 15.4 system (no container) looked like it was patched ~a week ago:
I doubt they will have patched the specific curl vulnerability a week ago as that would have broken the embargo (the curl vuln was only announced to Linux distributions on Wednesday this week).
But it is true that often most OSs don't change the actual version number when they patch, they just apply the patch, so the version number might not be enough to go on. I don't know about SuSE but usually there are security bulletins/mailing lists that mention security updates, and the corrected SuSE-specific version number for curl (e.g in the package metadata) would be mentioned there.
The arguments for curl in testssl.sh are partly user determinable only: It depends solely on the PROXYIP variable whose input in turn is being strongly validated:
Unfortunately with this vulnerability, it is not the input of the SOCKS parameters that is the problem (and the SOCKS proxy doesn't even need to be malicious) - it's that if using a SOCKS proxy (even a friendly one), the URL that you are accessing, if that turns out to be maliciously controlled, it can cause remote code execution on the client that requested it.
Anyway, glad to have got it on your radar, I imagine the update will trickle down from the parent image.
polarathene
commented
11 months ago @polarathene : can we just remove util-linux w/o affecting the image?
IIRC I should have documented the need of each package somewhere in the past contributions to testssl.sh, it looks like it's used for the final stage to create the user account and symlinks (EDIT: here we go, the busybox packages provide hexdump and xxd) :
If you don't use busybox, the size will go up which was a concern for you at the time vs the Alpine image size.
Another alternative was to use the RUN --mount feature, but you were against this for requiring a release of Docker from 2022H2 at a minimum. Non-issue for the CI but you believed some users may be building from the Dockerfile themselves with older Docker releases.
IMO you could adjust the Dockerfile to be more modern like I originally proposed, and if any user raises an issue about compatibility building it, then revert to the current approach with a different solution (more image weight?).
That said, I had identified some compatibility issues with the suse base paired with the --installroot approach, since zypper relies on some mounts that aren't available with chroot environment or the sandbox that Docker provides by default IIRC.
Fedora didn't have those concerns for installing affected packages, but I believe was a fair bit larger as a base image due to less granular packages (in particular for xxd, which added around 30MB; you'd be better off with an alternative program but understandably that's less viable of a change to support?).
Here comes the install command as in the Dockerfile which waits for a prompt despite
--non-interactive install
I assume that's not happening during the image build, which would then probably be the difference of using -it (--interactive + --tty). Although I agree that seems odd to prompt when you provide the --non-interactive option, perhaps a bug with zypper? 🤷♂️
Problem: the to be installed busybox-util-linux-1.35.0-150400.4.5.1.noarch conflicts with 'util-linux' provided by the installed util-linux-2.37.2-150400.8.17.1.x86_64 Solution 1: deinstallation of util-linux-2.37.2-150400.8.17.1.x86_64 Solution 2: do not install busybox-util-linux-1.35.0-150400.4.5.1.noarch
I'm curious what happens in the Dockerfile build if it implicitly chooses one of these. Presumably it's choice 1, as we are choosing to use the busybox alternative, and this is related to why we do the busybox step in the final image stage (since the package is installed into a new system root at a subdirectory, then copied over to the new stages actual filesystem root /).
Also it looks to me like the EOL date is imminent
I have heard that there may be a 15.6 release, but SUSE has been talking up discontinuing the Leap series. It's a bit muddy with the future choices they're pursuing.
There was a recent announcement of a new offering called SlowRoll, which is meant to be a slower release snapshot of TumbleWeed. It is aimed at releasing every 1-2 months with bugfixes and CVE backports AFAIK.
Might be worthwhile to switch to that?
EDIT: I don't see any offering on DockerHub or the SUSE container registry. Might not be offered as a base image, there are container focused images like bci/bci-micro although I don't know too much about those, they seem to be daily snapshots based on the rolling release Tumbleweed.
Upgrading to 15.5 for now might be easiest, and within a years time 15.6 if that becomes available. After that Fedora might be preferred if you want to stick to non-rolling release streams. Or Slowroll if that becomes available.
polarathene
commented
11 months ago Also possibly worth noting, I believe I raised this concern in the past:
The caching is useful for speeding up CI builds of the image, but if you don't have a scheduled build (eg: weekly) that ignores the cache and uploads the new cache, then you may have builds with the base image cached until that cache becomes stale / removed.
There is a scheduled build workflow (only valid for 3.2, the 3.0 equivalent is never run), but these just perform the same build, cache is not invalidated.
Alternatively you could probably remove the build ARG for the tag here:
https://github.com/drwetter/testssl.sh/blob/b21c5ee7805630738a2f0253632fed0b3f1a4c06/Dockerfile#L6
and have one of those dependency actions open PRs managing updates to a pinned digest instead of tag.
Either way, users won't get the update though if they just pull the same tag and a local copy exists, despite different digests. They have to force pull (--pull always), and eventually docker image prune to remove prior images as they accumulate storage.
drwetter
commented
11 months ago I doubt they will have patched the specific curl vulnerability a week ago as that would have broken the embargo (the curl vuln was only announced to Linux distributions on Wednesday this week).
The changelog says so. I suppose they got the patch before. Strange because Debian was later. Maybe it has something to do that leap 15.4 is coupled to SLES 15 SP4 (suse linux enterprise 15, service pack 4).
drwetter
commented
11 months ago I would just switch to 15.5 .
done via PR #2423
drwetter
commented
11 months ago But it is true that often most OSs don't change the actual version number when they patch, they just apply the patch,
For opensuse/sles and RHEL+clones you can't tell by the version banner. That's a thing where some pen testing tools and n00bs stumble over when doing banner grabbing remotely. But locally as for Debian packets you have the version of the package and in addition for RPMs there's a changelog included (rpm -qi
drwetter
commented
11 months ago Slowrool is IMO still rolling too fast. I am sick of Tumbleweed on one end device -- not bc of suse -- but because of recent Linux changes which made one end device unusable (wireless doesn't work on one access point, hibernation doesn't work, somtimes even not suspend, ...). Also if that has zero to do with the docker image: I rather prefer stability for this project.
drwetter
commented
11 months ago Long story short:
util-linux needs to be removed before zypper in the other rpms . And a zypper up seems needed.
More see PR #2424. Thus I am closing this. Any improvements discussions are welcome though in a separate issue/PR>
polarathene
commented
11 months ago
util-linuxneeds to be removed beforezypper inthe other rpms . And azypper upseems needed.
? util-linux should not be removed from the first stage, you're using --installroot which is installing packages to a new "install" the base images packages are irrelevant as they're not being updated there. --installroot option installs to a fresh new root location that we COPY in the final stage.
drwetter
commented
11 months ago @polarathene : you didn't get my point here. I am copying from above:
Problem: the to be installed busybox-util-linux-1.35.0-150400.4.5.1.noarch conflicts with 'util-linux' provided by the installed util-linux-2.37.2-150400.8.17.1.x86_64
Solution 1: deinstallation of util-linux-2.37.2-150400.8.17.1.x86_64
Solution 2: do not install busybox-util-linux-1.35.0-150400.4.5.1.noarchyou didn't get my point here
I did as I'm referencing what you changed in the PR. Please pay attention to what my comment stated.
$ docker run --rm -it opensuse/leap:15.5 bash
# Setup default options for commands, and refresh repos + auto import gpg keys:
$ export ZYPPER_OPTIONS=( --releasever 15.5 --installroot /rootfs --cache-dir /tmp/cache/zypper )
$ zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh# Optional removing the repos not in use:
$ zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.
# | Alias | Name | Enabled | GPG Check | Refresh
---+-----------------------------+---------------------------------------------+---------+-----------+--------
1 | repo-backports-debug-update | Update repository with updates for openSU-> | No | ---- | ----
2 | repo-backports-update | Update repository of openSUSE Backports | Yes | ( p) Yes | Yes
3 | repo-debug | Debug Repository | No | ---- | ----
4 | repo-debug-non-oss | Debug Repository (Non-OSS) | No | ---- | ----
5 | repo-debug-update | Update Repository (Debug) | No | ---- | ----
6 | repo-debug-update-non-oss | Update Repository (Debug, Non-OSS) | No | ---- | ----
7 | repo-non-oss | Non-OSS Repository | Yes | ( p) Yes | Yes
8 | repo-openh264 | Open H.264 Codec (openSUSE Leap) | Yes | ( p) Yes | Yes
9 | repo-oss | Main Repository | Yes | ( p) Yes | Yes
10 | repo-sle-debug-update | Update repository with debuginfo for upda-> | No | ---- | ----
11 | repo-sle-update | Update repository with updates from SUSE -> | Yes | ( p) Yes | Yes
12 | repo-source | Source Repository | No | ---- | ----
13 | repo-update | Main Update Repository | Yes | ( p) Yes | Yes
14 | repo-update-non-oss | Update Repository (Non-Oss) | Yes | ( p) Yes | Yes
$ zypper removerepo repo-openh264 repo-non-oss repo-update-non-oss
Removing repository 'Non-OSS Repository' ...............................................................[done]
Repository 'Non-OSS Repository' has been removed.
Removing repository 'Open H.264 Codec (openSUSE Leap)' .................................................[done]
Repository 'Open H.264 Codec (openSUSE Leap)' has been removed.
Removing repository 'Update Repository (Non-Oss)' ......................................................[done]
Repository 'Update Repository (Non-Oss)' has been removed.# The package install (no conflict exists with `util-linux`):
$ zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl
Warning: Enforced setting: $releasever=15.5
Loading repository data...
Reading installed packages...
Resolving package dependencies...
The following 68 NEW packages are going to be installed:
bash bash-sh busybox busybox-util-linux busybox-vi coreutils crypto-policies curl filesystem gawk glibc grep info krb5 ldns libacl1 libattr1 libbrotlicommon1 libbrotlidec1 libbz2-1 libcap2 libcom_err2 libcrypt1
libcurl4 libdbus-1-3 libgcc_s1 libgcrypt20 libgmp10 libgpg-error0 libidn2-0 libjitterentropy3 libkeyutils1
libldap-2_4-2 libldap-data libldns2 liblz4-1 liblzma5 libncurses6 libnghttp2-14 libnl-config libnl3-200
libopenssl1_1 libpcap1 libpcre1 libprocps7 libpsl5 libreadline7 libsasl2-3 libselinux1 libsepol1
libssh-config libssh4 libstdc++6 libsystemd0 libunistring2 libverto1 libwrap0 libz1 libzio1 libzstd1 openssl openssl-1_1 procps sed socat system-user-root terminfo-base update-alternatives
68 new packages to install.
Overall download size: 16.7 MiB. Already cached: 0 B. After the operation, additional 47.5 MiB will be used.# Now check the curl package installed to `/rootfs` (_not the containers root_)
rpm --root /rootfs -qi curl | grep -Ei 'install|build'
Install Date: Sat Oct 14 08:57:40 2023
Build Date : Wed Oct 4 10:11:55 2023
Build Host : h01-ch4cNotice that:
zypper up, the repos were refreshed to the latest state and the install root ensures everything is installed fresh from them. No existing packages to update.util-linux package because none exists in the install root.--installroot option in the container (which also requires the --releasever). Which misinformed you.Please revert the change and remove the unwanted repos correctly as shown above.
If you want inline documentation for the Dockerfile (since you added some of that via that PR), you may be interested in the original commit proposed (which also clarifies the options + repo updating).
Which version are you referring to 3.2 from
drwetter/testssl.sh:latestDocker image IDDigest: sha256:98c43b1877453edfcdee9e5a48b3b8ef37277b2a098550d88bb575960f2d6f0eHi @drwetter,
I have been reviewing Docker images I use that have curl installed, in light of https://curl.se/docs/CVE-2023-38545.html - and that includes testssl.sh
I especially note that testssl.sh has support for passing proxy args to curl. Although I don't use that, that's especially interesting in light of the nature of this vulnerability.
Entering the Docker container from your latest image, I can see this is the curl version:
I am not so familar with your image and its parent dependencies (SuSE?) and was wondering how I might tell if this version of curl is patched (or not) against the vulnerability (please see 'Affected versions' at https://curl.se/docs/CVE-2023-38545.html) ? I come from a Debian world where it is possible to check the changelog on the filesystem itself, but not sure if that exists in this image. I think it's because you explicitly remove
/usr/share/docwhen building your image (makes sense, keeping it light!).Thanks for any assurance you can provide re: the curl version here! Cheers for making testssl.sh :)