musl vulnerability in alpine

[molepigeon]

Hi, our vulnerability scanning tool detected a version of musl that's affected by CVE-2019-14697 in docker:18.09.8-dind. It appears that a fix is available through apk upgrade.

[wglambert]

See docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
And https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

---

Looks like this hasn't been patched yet so there's nothing actionable we can do. As we'll only apply out-of-branch patch's when absolutely necessary

The bug is present in all versions after 0.9.12, up through the current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's "i386" arch) are affected. Users of other archs, including x86_64, can safely ignore this issue.

[yosifkit]

A couple other links: upstream tracker here; the fix was already deployed to the edge image (docker-library/official-images#6437). I can only speculate as to why the rest of the images were not fixed at the same time. My best guess is that because it only effects i386, it was deemed low enough impact to not necessitate a rebuild of all child images.

[tianon]

Closing in favor of alpinelinux/docker-alpine#34.