~alpine/aports

RE: Alpine aports issue #11820

Weiss, Eric (LNG-RDU) <eric.weiss@lexisnexis.com>
Details
Message ID
<DM6PR08MB410806B06D95CB588C32BA8DFF480@DM6PR08MB4108.namprd08.prod.outlook.com>
DKIM signature
missing
Download raw message
5 years ago 
This morning I opened an issue against the alpine aports repo based upon a current issue we are experiencing with respect to alpine 3.11/3.12.  You can view it here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/11820

We run a number of services utilizing the Microsoft dotnet core runtime base image using alpine 3.11/3.12. One of the policies we perform on each container build is to scan the resulting output image using twistlock. Within the last few days, our image pipelines began failing due to a high vulnerability flagged and referenced by CVE-2018-1000500 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000500#vulnCurrentDescriptionTitle) which is encountered with any busybox version < 1.32.0.

Since I noticed that a fix has been committed to correct this issue by referencing busybox 1.32.0, I am inquiring as to the timeframe that which a patch release could be provided? In the meantime, we have found a workaround for the issue by removing the symbolic link between /usr/bin/wget and busybox.

Regards,
Eric Weiss
Reply to thread Export thread (mbox)