Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2106.outbound.protection.outlook.com [40.107.244.106]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id D544E781AC6 for ; Thu, 6 Aug 2020 16:05:39 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ATh8Atz2kuBumEU/+Tm9J6s7unc4XZbzj1io24bQD9b8ae0UApG4RwzpEotiQJ7nxULM17JE41xcAHDRS9fkV6/mwTaLpQkBUs1ckLe9DryHrpxAtTWtsquKpWg358q/VtflfzoXeI1/dW5P7nBPvOf3N79rkRoCMmphbxDfxR+aID66UXcH1bSNNn9h0i2XmdujEHeqydBigEeodHwjPM7t2G/ddFDhY/3IcukKfL3Jth2I89q5pDALpST5+zE9ENIK1D6B+EQEYlodQgeYccvsxY+iGMpTNfQsQzs897bVowTnyYLoTKJ/Yyu5DV5yU5ztImmyO9aWikbeWlYwlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EoH5yiPjuHdXy7M0s2GZ8nCDKIXyEQKrSptcj9GQKno=; b=SfCHIa9QndF8suWsZ/8qAasWNrACrjFfh/R9Ibf+Nxi+b+HOQzlBkhK6oIDunCPiJ/NaEWhK+RlGkg2ujuX2h/2LnXpH3okJeaiUuXK3mv+xgcsYPy+5IySAZUdIYMYMKs68wxrEBxpoPuTvUw353ITUIwjPhYH3nuoPGAYcM/riWGY+BTo49hgGXMHCuhDjwMZ0rk7RFTvnmHS3/LcmNxuM1pwE3O0y3ogmPdpyiz/TFKr4RNjqApAi2pMV+BeJ6NCMY71oIPzc/1taoRJE5HPS9x5WYFf7brIcgK6bi+omXgMXyw+u1YtUoUQx3yDQzpZejnTpu6+noz6qcO+How== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=lexisnexis.com; dmarc=pass action=none header.from=lexisnexis.com; dkim=pass header.d=lexisnexis.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lexisnexis.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EoH5yiPjuHdXy7M0s2GZ8nCDKIXyEQKrSptcj9GQKno=; b=cBC4MIMkchAReCfGVlZLuKUweG7L1tm+gMhJenGITL0Jln+g87F1U/uUfji9VG5/LN58lHBgv+yRv1VQvPkwmPAtCeE5lyhW4uRuvykeOmChYKZ00xki4WpLPgidfH+XzPf/F298JC3uX5QbeQlqG8fLWCVAp/QexVHOH5uRpXQ= Received: from DM6PR08MB4108.namprd08.prod.outlook.com (2603:10b6:5:8b::14) by DM6PR08MB3866.namprd08.prod.outlook.com (2603:10b6:5:88::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.19; Thu, 6 Aug 2020 16:05:37 +0000 Received: from DM6PR08MB4108.namprd08.prod.outlook.com ([fe80::f021:e47a:1636:31ff]) by DM6PR08MB4108.namprd08.prod.outlook.com ([fe80::f021:e47a:1636:31ff%5]) with mapi id 15.20.3239.023; Thu, 6 Aug 2020 16:05:37 +0000 From: "Weiss, Eric (LNG-RDU)" To: "alpine-aports@lists.alpinelinux.org" Subject: RE: Alpine aports issue #11820 Thread-Topic: Alpine aports issue #11820 Thread-Index: AdZsCMYrFopEQFcqRuGYbb1roCMA6AAAlB6wAAAREUA= Date: Thu, 6 Aug 2020 16:05:37 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: lists.alpinelinux.org; dkim=none (message not signed) header.d=none;lists.alpinelinux.org; dmarc=none action=none header.from=lexisnexis.com; x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 9f1ee641-7f1e-48ec-5fdd-08d83a228eff x-ms-traffictypediagnostic: DM6PR08MB3866: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: dt6prvDfOywvnfIM4S+9226suRC9u4dG5LC3kAbJg+csPrnbOxNfIwKjNvvDzODhPaKNC252l+iC8tto8IzMn1X9YaAX+MVlmtqIPPOzcncIAMZAg1myRG4vWRponnpMx95Hb7aGGnjqQWwbeAvNsWfrzWnVdLkMJpo2R67pF/wb4867/0Wn+dx+bTaRHDjIvAe9wFDAIBdrCpElO+15Vt/HDtTgJ/uxTA0g/ukLbb86bSX7xqYbUpyWIu3diJ2v935q29g+s4hqafefvv0sdNJuqfaSt4lWKjeqbYl73OQYKyrXyekyrlkq5G7cBbHnjZFBt8Zf5mDEryCnhtAEyQSnZ10vInom1S7GlR1heFPjBRtUmCsyq0JEGbaofuf5ygFCjLPMkp0WsjPJmhgn/A== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR08MB4108.namprd08.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(346002)(376002)(396003)(366004)(39860400002)(136003)(71200400001)(7116003)(55016002)(8936002)(6916009)(478600001)(52536014)(66556008)(64756008)(66476007)(76116006)(2906002)(66446008)(66946007)(5660300002)(6506007)(83380400001)(86362001)(83080400001)(7696005)(8676002)(316002)(26005)(966005)(33656002)(186003)(2940100002)(9686003)(45080400002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: u+BFfxgutFus7cGn9bYEwJ5edTuC/yT3O/2JsdCxdiDNd3xoNCmfjJzkn83E3tL1rD60FQCSjdewXl6PzBdhia0PhsihtSTdVEeVs0M4kMxuxK+ew4Fl+l6VLpyk3ERtMXydLjlK40DQkNsLow/seAtM5Y+UhosaV5in/43cFFTORliiJHrLIgqBrDuRpt+JD8Pa7/Rwd47K0RU7TYG/+pT/E8fmtCOHnXmLSoLqGFlsX3jIa3WB6WhHKqd8EEazk2x0xCcpua+35BdN7z7eocLtGR3EmVciVU3goD3+sOdxXZJKByh5RHcGXEgaZU8XWa7hqrWpR5ho+/YvYSqInJSWmmjJB1SnzOHfaFUP+KzWy1qmm4AP5QpcB1R2t9S510VxL9u+k2pmkv9ufB555j6inDVGy6L1yrs9LkNvr5yvPRjtLJ9jzZm00Ky1mG9+ZJxAePD7Q8RpQi2NXSJIN7B/mV3r/kA6vizQlCb4b13dgP+kgsZAs7MF0MiWqD3zjXuXhgEP8WcCl1U5vxbeWMyk+7hMIV2ab1QWUn5h04gy7gPX4SbvqoSAgUxoyCRHCc1R6ppb60eUMu13yW+eOR06w0rwOdkePO7cWgCgcOMKYIzwCI3xNho00WYD9cOY3VughQF/40hzdz9pB1noOQ== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: lexisnexis.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR08MB4108.namprd08.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9f1ee641-7f1e-48ec-5fdd-08d83a228eff X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2020 16:05:37.4415 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9274ee3f-9425-4109-a27f-9fb15c10675d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: kA1zopQWQFZi4P2QyMmx56RRlz+Q4cWREe8zLKr4ZEdJMabE5jq3PN28XaaCx/KqyOV/d8rNga+aIn/C/mmfSQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR08MB3866 This morning I opened an issue against the alpine aports repo based upon a = current issue we are experiencing with respect to alpine 3.11/3.12. =A0You = can view it here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/118= 20 We run a number of services utilizing the Microsoft dotnet core runtime bas= e image using alpine 3.11/3.12. One of the policies we perform on each cont= ainer build is to scan the resulting output image using twistlock. Within t= he last few days, our image pipelines began failing due to a high vulnerabi= lity flagged and referenced by CVE-2018-1000500 (https://nvd.nist.gov/vuln/= detail/CVE-2018-1000500#vulnCurrentDescriptionTitle) which is encountered w= ith any busybox version < 1.32.0. Since I noticed that a fix has been committed to correct this issue by refe= rencing busybox 1.32.0, I am inquiring as to the timeframe that which a pat= ch release could be provided? In the meantime, we have found a workaround f= or the issue by removing the symbolic link between /usr/bin/wget and busybo= x. Regards, Eric Weiss