More frequent Docker image builds #33
Comments
|
Gotcha, thanks for the report! To be honest, I've been far too busy to maintain this image as much as I would like. :( I'll add a formal notice on the |
|
Oh no. I thought you had a more efficient approach than that project; we have been running it in production for nearly a year! But I understand that time is precious. It will take us some time to test and move back to the kiwigrid one. Could you do me a solid favor, and just bump the version on this one more time when you change the README (say to 1.5.0), so we can get a fresh docker build? It's important for compliance reports. |
|
Thanks! It means alot to know this little fork helped someone! As someone who deals with similar compliance regulations, I 100% understand... I don't want to abuse semver so I think I'll just release a new |
|
Yes, that works! |
Github actions completed. Image |
This repo is pretty stable, so it will sit on the same version for many months. The problem is that the Docker image is not getting rebuilt periodically, so we are not refreshing the python:3.8-alpine base layer to pick up CVE security fixes in the underlying alpine image.
Simply building and pushing a new docker tag every week or so would be sufficient to help with this. You would have to incorporate a build counter of some sort. It would be something like:
1.4.0-1,1.4.0-2,1.4.0-3. And then you would still have your existing1.4.0tag, but it would always point at the latest docker image for 1.4.0. You can see similar patterns for this in other projects. Take Kafka for example, it actually runs a docker build daily for each version:2.8.1-debian-10-r191,2.8.1-debian-10-r192,2.8.1-debian-10-r193, and then they also push a tag for 2.8.1 that maps to whatever the latest 2.8.1 is.https://hub.docker.com/r/bitnami/kafka/tags?page=1&name=2.8.1
The minimal, near term request is simply one more docker build in the near future 🙏
Reference:
Current CVEs against 1.4.0 are for
alpine-3.14.2CVE-2022-23852 -
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.CVE-2022-23990 -
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.CVE-2022-25236 -
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.CVE-2022-25314 -
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.CVE-2022-25235 -
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.CVE-2022-25315 -
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.CVE-2021-42375 -
An incorrect handling of a special element in Busybox\'s ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.CVE-2021-42374 -
An out-of-bounds heap read in Busybox\'s unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format thatThe text was updated successfully, but these errors were encountered: