Security issue of image nginxinc/nginx-unprivileged:mainline-alpine

[art045661489]

I use nginxinc/nginx-unprivileged:mainline-alpine as base image and i found that the package name "libxpm-3.5.16-r1" is installed as shown in the picture below.

After i check carefully, I found that the package have mentioned in vulnerability with
CVE-2023-43788: https://security.alpinelinux.org/vuln/CVE-2023-43788
and CVE-2023-43789: https://security.alpinelinux.org/vuln/CVE-2023-43789

I try to solve this problem by delete/upgrade libxpm with command 'apk upgrade| ' but unfortunately i got an error permission denied.

I will appreciate it if you have any suggestion/solution.

thank you

[alessfg]

Hey @art045661489! Couple things:

• Per our Security policy, https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md, libxpm is not considered a critical package, so the standard process would be to wait until the images get automatically rebuilt.
• The CVEs you listed only have a fix available in Alpine 3.19, and these images are running on Alpine 3.18. I would assume the fix will make its way to Alpine 3.18 soonish since it's a supported release, which is more the reason to wait until the images get automatically rebuilt next Sunday night.

If you want to solve the problem right now yourself, my suggestion would be to grab the Dockerfile here https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/mainline/alpine-slim/Dockerfile, and change https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/mainline/alpine-slim/Dockerfile#L6C11-L6C22 to alpine:3.19.

Once you rebuild the image, you should have an upgraded libxpm package (assuming the CVE fix has made its way to the base Alpine 3.19 Docker image).

[art045661489]

Do Nginx rebuild their images on sunday every week?

[alessfg]

The "core" NGINX Docker images are rebuilt on a more frequent basis (they are part of the official Docker library). These images are rebuilt every Sunday night/Monday at midnight UTC so as to keep the frequency of image updates somewhat sensible.

I should note that in this specific case, libxpm is classified as only "possibly vulnerable" on Alpine 3.18, so there's a chance the fixes will not be backported. For now I think the best course of action is to wait and see. You should still be able to use these images without any issues as long as you keep their usage to NGINX.