search

yukimochi / Activity-Relay

Yet another powerful customizable ActivityPub relay server written in Go.
https://relay.toot.yukimochi.jp/
GNU Affero General Public License v3.0
278 stars 39 forks source link

Update Alpine to fix a numer of CVEs #84

Closed mhamzahkhan closed 1 year ago

mhamzahkhan commented 1 year ago

This is a tiny PR just updating the version of Alpine.

There are a number of flagged CVEs in alpine 3.17.2:

ghcr.io/yukimochi/activity-relay/activity-relay:v2.0.2 (alpine 3.17.2)

Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 4, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-0464 │ HIGH     │ 3.0.8-r0          │ 3.0.8-r1      │ Denial of service by excessive resource usage in verifying │
│            │               │          │                   │               │ X509 policy constraints...                                 │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│            ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-2650 │          │                   │ 3.0.9-r0      │ Possible DoS translating ASN.1 object identifiers          │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2650                  │
│            ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-0465 │ MEDIUM   │                   │ 3.0.8-r2      │ Invalid certificate policies in leaf certificates are      │
│            │               │          │                   │               │ silently ignored                                           │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                  │
│            ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-0466 │          │                   │ 3.0.8-r3      │ Certificate policy check not enabled                       │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0466                  │
│            ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-1255 │          │                   │ 3.0.8-r4      │ Input buffer over-read in AES-XTS implementation on 64 bit │
│            │               │          │                   │               │ ARM                                                        │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1255                  │
├────────────┼───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2023-0464 │ HIGH     │                   │ 3.0.8-r1      │ Denial of service by excessive resource usage in verifying │
│            │               │          │                   │               │ X509 policy constraints...                                 │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│            ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-2650 │          │                   │ 3.0.9-r0      │ Possible DoS translating ASN.1 object identifiers          │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2650                  │
│            ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-0465 │ MEDIUM   │                   │ 3.0.8-r2      │ Invalid certificate policies in leaf certificates are      │
│            │               │          │                   │               │ silently ignored                                           │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                  │
│            ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-0466 │          │                   │ 3.0.8-r3      │ Certificate policy check not enabled                       │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0466                  │
│            ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2023-1255 │          │                   │ 3.0.8-r4      │ Input buffer over-read in AES-XTS implementation on 64 bit │
│            │               │          │                   │               │ ARM                                                        │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1255                  │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
codecov-commenter commented 1 year ago

Codecov Report

Patch and project coverage have no change.

Comparison is base (2fbb4f0) 61.73% compared to head (a5d837b) 61.73%.

:exclamation: Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #84 +/- ## ======================================= Coverage 61.73% 61.73% ======================================= Files 16 16 Lines 1487 1487 ======================================= Hits 918 918 Misses 516 516 Partials 53 53 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

yukimochi commented 1 year ago

Thank you for your PR!