docker-nginx icon indicating copy to clipboard operation
docker-nginx copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Update stable to Alpine 3.20

Open jnoordsij opened this issue 1 year ago • 5 comments

Proposed changes

This is a follow-up to #894, given that in my eyes it seems most likely a new mainline release will precede a new stable release.

Updates the stable image to use Alpine 3.20 as default version. See also https://alpinelinux.org/posts/Alpine-3.20.0-released.html.

Note: given that this requires built binaries for the new Alpine version and won't take any effect until an actual new release of nginx itself, this PR is intentionally marked as draft, so it can function both as a heads-up about the new release and a place that allows for subscription to any potential updates. It can then be merged later at any convenient time when everything is ready. However, if it is still preferable to close this in the meantime, feel free to do so.

Checklist

Before creating a PR, run through this checklist and mark each as complete:

  • [x] I have read the CONTRIBUTING document
  • [x] I have run ./update.sh and ensured all entrypoint/Dockerfile template changes have been applied to the relevant image entrypoint scripts & Dockerfiles
  • [ ] If applicable, I have added tests that prove my fix is effective or that my feature works
  • [ ] If applicable, I have checked that any relevant tests pass after adding my changes
  • [ ] I have updated any relevant documentation

jnoordsij avatar May 22 '24 12:05 jnoordsij

Should be ready for 1.26.1 release once the Alpine binaries are available!

jnoordsij avatar May 29 '24 15:05 jnoordsij

@jnoordsij are there any updates on this, or do you have an idea of when it might be ready? We're eager to move to Alpine 3.20, due to some vulnerabilities that exist on 3.19. Thanks for all you do!

mycahjay avatar Jun 14 '24 21:06 mycahjay

@jnoordsij - We had a security vulnerability in the Alpine Linux image used in our environment, specifically related to BusyBox. The due date for addressing this issue is 06/19, and it poses a security risk that could impact our services. Could you please inform us when you plan to release an updated version of NGINX with the latest security updates?

chaitutheprince avatar Jun 14 '24 23:06 chaitutheprince

This PR is a community contribution; I have no official ties to it.

Regarding when to expect the Alpine update, this generally only coincides with a new release for this image, hence I do not expect this to be available before the 1.26.2 release (for which no release date is known, at least to me).

For any security issues on the Alpine image, these should be addressed in the base image, which should prompt a rebuild of the images here. For more details on this, please consult https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves.

jnoordsij avatar Jun 15 '24 15:06 jnoordsij

I think this PR only needs a rebase (and perhaps the addition of the curl package when building from source), then at least the CI should return green.

mmoll avatar Jun 24 '24 12:06 mmoll

Merged, thank you!

thresheek avatar Aug 15 '24 00:08 thresheek