busybox icon indicating copy to clipboard operation
busybox copied to clipboard
verified publisher icon prometheus

Request: Use the Alpine build of BusyBox for greater security

Open liam-verta opened this issue 3 years ago • 2 comments

The Alpine project is very responsive to vulnerability reports and has been releasing patched versions of BusyBox that address critical vulnerabilities. CVE-2022-28391 was reported over 4 months ago and is still unpatched in BusyBox 1.34.x and 1.35.0 releases. Meanwhile, Alpine patched their BusyBox build almost as soon as the vulnerability was published: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661

This image doesn't have to use Alpine in general but it should consider using the Alpine build of the BusyBox executable for greater security.

liam-verta avatar Aug 04 '22 19:08 liam-verta

Hmm, I'm not totally opposed to this. But the question is, how to extract/build this.

SuperQ avatar Aug 05 '22 01:08 SuperQ

We might also finally just switch to a from scratch image.. The node-exporter is really the last container I ever feel the need to exec into and now with ephemeral containers in kubernetes even in these situations it shouldn't matter. But it would be a breaking change..

discordianfish avatar Aug 09 '22 12:08 discordianfish