httpd icon indicating copy to clipboard operation
httpd copied to clipboard
verified publisher icon docker-library

Alpine images are 3 months old on docker hub

Open AlenversFr opened this issue 9 months ago • 5 comments

Hello,

The docker images based on alpine seems to be outdated as they are built 3 month ago. Is there any issue / limitation that blocks the publication of new build ?

We are used to benefit httpd images without any Critical or even High CVE in it. We have some concerns right now as httpd is a very popular image.

Regards

AlenversFr avatar May 06 '25 07:05 AlenversFr

Unfortunately, the Alpine base images are not updated as proactively as we'd like them to be, and that's the primary means by which package updates get to dependent images in the Official Images program right now. One simple alternative would be to switch to the Debian-based image, which is proactively rebuilt to incorporate package updates.

You might find https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves useful as well.

Are there any package updates that actually affect the operation of httpd in a functional way? How severe are the vectors specifically in relation to httpd's operation? (The published and generic severity values rarely capture actual real-world usage / risk very well.)

tianon avatar May 06 '25 17:05 tianon

Hi @tianon,

Thanks for the update on this.

As a matter of fact, we apply a strict policy regarding CVE : 0 critical and 0 high With httpd:2.4-alpine we've tested a simple package upgrade and it removes the CVE BUT we prefer to get fix from upstream as as soon as we touch the image we need to guaranty that it's working with all our internal client use cases (nightmare).

CVE localisations are located in apk add instructions : Image

when we scan the image 2.4-alpine :

Image

Among the 7 High CVE in the image, when I look at available packages for alpine v3.21 we only miss latest version of libxml2 (2.13.6-r0). all other fixed version have been synced in March and April 2025.

At the time I wrote this issue all the packages had fixed version available. If I understand correctly a simple rebuild of the image should have fix the issues.

I understand that the emergency level is not very high because of the severity of the CVEs but as end user we are used to benefit the extremely low number of CVE in httpd-alpine images.

Can you try to launch a rebuild for all Alpine distributions of httpd ?

AlenversFr avatar May 14 '25 09:05 AlenversFr

As a matter of fact, we apply a strict policy regarding CVE : 0 critical and 0 high

That's an interesting choice you've made, but not one that we have.

We take security issues seriously, but that's not what CVEs (necessarily) are, so there's some unfortunate disparity that will be inherent in that disconnect. Again, see https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for some longer-form explanation on that point.

tianon avatar May 19 '25 22:05 tianon

Hello, first of all, thank you for maintaining the alpine images of httpd!

Can you please just rebuilt the alpine based image and push? While build the apk images are installed and current alpine versions are fixed.

e.g. libxml2 has been built on 9th September already, so simple rebuild based on 3.22 will resolve some CVEs.

dosmanak avatar Nov 19 '25 16:11 dosmanak

Can you please just rebuilt the alpine based image and push?

Unfortunately, our build system is a bit more complicated than that because we build many images FROM one another across many CPU architectures. Tags in the official images are only built through a meaningful update to the Dockerfile (or build context) or as a result of its base image being updated (ie, an image FROM debian:trixie would be rebuilt when debian:trixie is built).

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/e5475a9b3d7c34b8a1e3902df0f4959c5b33e593#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

If users need updates sooner, then they need to pull in apt/apk package updates in a custom image FROM httpd.

yosifkit avatar Nov 19 '25 18:11 yosifkit