Update 3.18.4 image to fix new CVE CVE-2023-5363
Mirroring GitHub issue to source of truth here.
Trivy scan of 3.18.4 official image:
$ trivy image alpine:latest
2023-11-06T02:06:07.665Z INFO Vulnerability scanning is enabled
2023-11-06T02:06:07.665Z INFO Secret scanning is enabled
2023-11-06T02:06:07.665Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-06T02:06:07.665Z INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-11-06T02:06:15.026Z INFO Detected OS: alpine
2023-11-06T02:06:15.026Z INFO Detecting Alpine vulnerabilities...
2023-11-06T02:06:15.028Z INFO Number of language-specific files: 0
alpine:latest (alpine 3.18.4)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM │ fixed │ 3.1.3-r0 │ 3.1.4-r0 │ Incorrect cipher key and IV length processing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5363 │
├────────────┤ │ │ │ │ │ │
│ libssl3 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘
In a 3.18.4 based Dockerfile, doing this fixes this issue:
RUN apk update && apk upgrade --no-cache libcrypto3 libssl3
Is it possible to push out a fresh image? Thank you