0

I stumbled upon a tricky situation: I read on the Docker Alpine main page that the image is getting updated every month for minor versions/security fixes. Packages with CVE are not updated for the stable version (v3.17.*) but are on the edge version.

I know that there is the possibility to update a package by specifying the release version like apk add git --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community. I won't do it though because edge is not stable.

Here is my real life situation:

Using Docker Alpine 3.17.3, the git package is on version 2.38.4-r1 (suffering from CVE-2022-23521). The fixed version is 2.39.1-r0 but is on edge.

Should I simply live with the fact that my CI is complaining and wait for the fix(es) to be available on a stable release? What is the best approach?

Kaymaz
  • 241
  • 3
  • 11

1 Answers1

0

This CVE may result in remote code execution and is categorized as critical. I think that it is better to use "unstable" version than allow your service to be exposed to it. Just check if there are any known vulnerabilities on the version you want to install.

Because git is on main branch (not community), you can install edge version like this:

apk add git --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main

As of today it will install git (2.40.1-r0)

There are many other options like building git from source with your preferred version with multistage, use different distibution, or finding an older version of git package that doesn't contain any security issues - it will be much more tested/stable

mpiliszcz
  • 101
  • 2