Closed esn89 closed 1 year ago
5.0.x
is end of life; it is not being updated anymore: https://github.com/docker-library/redis/pull/3335.0.x
then it should probably at least be the latest version of it, 5.0.14
.5.0.6-alpine
is based on Alpine 3.10 and is over 4 years old, but it already has the fixed version for CVE-2018-1000500
(https://gitlab.alpinelinux.org/alpine/aports/-/blob/3.10-stable/main/busybox/APKBUILD#L61):
$ docker run -it --rm redis:5.0.6-alpine sh
Unable to find image 'redis:5.0.6-alpine' locally
5.0.6-alpine: Pulling from library/redis
89d9c30c1d48: Pull complete
b2eb22a0b7db: Pull complete
c5ccbdf10203: Pull complete
29dc5d38440e: Pull complete
a9bfccb1acb4: Pull complete
ae61c5711cf8: Pull complete
Digest: sha256:27e139dd0476133961d36e5abdbbb9edf9f596f80cc2f9c2e8f37b20b91d610d
Status: Downloaded newer image for redis:5.0.6-alpine
/data # apk info busybox
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.d8b2a6f4.tar.gz: No such file or directory
busybox-1.30.1-r2 description:
Size optimized toolbox of many common UNIX utilities
busybox-1.30.1-r2 webpage: https://busybox.net/
busybox-1.30.1-r2 installed size: 942080
/data #
If there are Alpine package updates available, then an `apk upgrade --no-cache` in your own image would give you the most up-to-date packages.
There is a high vulnerability discovered here: https://snyk.io/test/docker/redis%3A5.0.6-alpine#SNYK-ALPINE310-BUSYBOX-1090151
can this be patched for those who are using this image?