[Bug] Install security patches in docker images

[wennergr]

What are you really trying to do?

Run temporalio docker images in an environment with SLA for patching security vulnerabilities

Describe the bug

Running a vulnerability scanner against your recent public docker images shows many old vulnerabilities with patches available.

For example:

sh# grype temporalio/auto-setup:latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                                                                                                   sha256:52107cbeb4cb436feef6fce7eb8b3b69ca539099586682a5bdb776d28dbadb7b
 ✔ Cataloged contents                                                                                                    5ded19afd287a871fed166a290008ded8755c8817378074ed0194293eaec7896
   ├── ✔ Packages                        [616 packages]  
   ├── ✔ File digests                    [1,030 files]  
   ├── ✔ File metadata                   [1,030 locations]  
   └── ✔ Executables                     [74 executables]  
 ✔ Scanned for vulnerabilities     [49 vulnerability matches]  
   ├── by severity: 2 critical, 7 high, 27 medium, 5 low, 0 negligible (8 unknown)
   └── by status:   48 fixed, 1 not-fixed, 0 ignored 
NAME                                                                         INSTALLED                              FIXED-IN    TYPE       VULNERABILITY        SEVERITY 
busybox                                                                      1.36.1-r15                             1.36.1-r16  apk        CVE-2023-42366       Medium    
busybox                                                                      1.36.1-r15                             1.36.1-r19  apk        CVE-2023-42365       Medium    
busybox                                                                      1.36.1-r15                             1.36.1-r19  apk        CVE-2023-42364       Medium    
busybox                                                                      1.36.1-r15                             1.36.1-r17  apk        CVE-2023-42363       Medium    
busybox-binsh                                                                1.36.1-r15                             1.36.1-r16  apk        CVE-2023-42366       Medium    
busybox-binsh                                                                1.36.1-r15                             1.36.1-r19  apk        CVE-2023-42365       Medium    
busybox-binsh                                                                1.36.1-r15                             1.36.1-r19  apk        CVE-2023-42364       Medium    
busybox-binsh                                                                1.36.1-r15                             1.36.1-r17  apk        CVE-2023-42363       Medium    
c-ares                                                                       1.24.0-r1                              1.27.0-r0   apk        CVE-2024-25629       Medium    
curl                                                                         8.5.0-r0                               8.9.0-r0    apk        CVE-2024-6197        High      
curl                                                                         8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2398        High      
curl                                                                         8.5.0-r0                               8.10.0      apk        CVE-2024-8096        Medium    
curl                                                                         8.5.0-r0                               8.9.1       apk        CVE-2024-7264        Medium    
curl                                                                         8.5.0-r0                               8.9.0-r0    apk        CVE-2024-6874        Medium    
curl                                                                         8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2466        Medium    
curl                                                                         8.5.0-r0                               8.6.0-r0    apk        CVE-2024-0853        Medium    
curl                                                                         8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2004        Low       
curl                                                                         8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2379        Unknown   
github.com/golang-jwt/jwt/v4                                                 v4.5.0                                 4.5.1       go-module  GHSA-29wx-vh33-7x7r  Low       
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  v0.36.4                                0.46.0      go-module  GHSA-8pgv-569h-w5rw  High      
go.temporal.io/server                                                        v1.18.1-0.20230217005328-b313b7f58641  1.20.0      go-module  GHSA-gm2g-2xr9-pxxj  Low       
golang.org/x/crypto                                                          v0.14.0                                0.17.0      go-module  GHSA-45x7-px36-x8w8  Medium    
golang.org/x/net                                                             v0.17.0                                0.23.0      go-module  GHSA-4v7x-pqxf-cx7m  Medium    
gopkg.in/square/go-jose.v2                                                   v2.6.0                                             go-module  GHSA-c5q2-7r4c-mv6g  Medium    
libcrypto3                                                                   3.1.4-r5                               3.1.6-r0    apk        CVE-2024-5535        Critical  
libcrypto3                                                                   3.1.4-r5                               3.1.7-r0    apk        CVE-2024-6119        High      
libcrypto3                                                                   3.1.4-r5                               3.1.5-r0    apk        CVE-2024-4603        Medium    
libcrypto3                                                                   3.1.4-r5                               3.1.7-r1    apk        CVE-2024-9143        Unknown   
libcrypto3                                                                   3.1.4-r5                               3.1.6-r0    apk        CVE-2024-4741        Unknown   
libcrypto3                                                                   3.1.4-r5                               3.1.4-r6    apk        CVE-2024-2511        Unknown   
libcurl                                                                      8.5.0-r0                               8.9.0-r0    apk        CVE-2024-6197        High      
libcurl                                                                      8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2398        High      
libcurl                                                                      8.5.0-r0                               8.9.0-r0    apk        CVE-2024-6874        Medium    
libcurl                                                                      8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2466        Medium    
libcurl                                                                      8.5.0-r0                               8.6.0-r0    apk        CVE-2024-0853        Medium    
libcurl                                                                      8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2004        Low       
libcurl                                                                      8.5.0-r0                               8.7.1-r0    apk        CVE-2024-2379        Unknown   
libssl3                                                                      3.1.4-r5                               3.1.6-r0    apk        CVE-2024-5535        Critical  
libssl3                                                                      3.1.4-r5                               3.1.7-r0    apk        CVE-2024-6119        High      
libssl3                                                                      3.1.4-r5                               3.1.5-r0    apk        CVE-2024-4603        Medium    
libssl3                                                                      3.1.4-r5                               3.1.7-r1    apk        CVE-2024-9143        Unknown   
libssl3                                                                      3.1.4-r5                               3.1.6-r0    apk        CVE-2024-4741        Unknown   
libssl3                                                                      3.1.4-r5                               3.1.4-r6    apk        CVE-2024-2511        Unknown   
nghttp2-libs                                                                 1.58.0-r0                              1.61.0      apk        CVE-2024-28182       Medium    
ssl_client                                                                   1.36.1-r15                             1.36.1-r16  apk        CVE-2023-42366       Medium    
ssl_client                                                                   1.36.1-r15                             1.36.1-r19  apk        CVE-2023-42365       Medium    
ssl_client                                                                   1.36.1-r15                             1.36.1-r19  apk        CVE-2023-42364       Medium    
ssl_client                                                                   1.36.1-r15                             1.36.1-r17  apk        CVE-2023-42363       Medium

Most of these vulnerabilities can easily be fixed by upgrading with apk

Minimal Reproduction

sh# grype temporalio/auto-setup:latest

Environment/Versions

Latest version or 1.25

Additional context

[dandavison]

Thanks @wennergr! We looked into it and the auto-setup docker images for the 1.25.x series were accidentally based on alpine ⁠3.19 ⁠when they should have been based on ⁠3.20 ⁠. We’re going to issue a new 1.25 patch release. (The error only affected 1.25; 1.24 is based on ⁠ 3.20).

[wennergr]

Sounds good. Is there a timeline for this patch release?