This addresses multiple vulnerabilities found in OpenSSL, which is
bundled in the Docker image to allow Webdis to connect to Redis over a
secure TLS connection. Full list of CVEs to be published in the
upcoming release notes for Webdis 0.1.22.
* Remove apk cache after installing packages
* Remove unused Redis binaries: -benchmark and -cli
Those have to be done on the same line as `apk add` in order to be part
of the same image layer, since running them in a separate layer would
not affect the layer they were added to.
Two binaries are built and packaged:
* /usr/local/bin/webdis -- still without SSL and does not depend on
OpenSSL
* /usr/local/bin/webdis-ssl -- supports SSL, depends on OpenSSL but has
to be used with the webdis image as a base image or in a container
injecting the webdis config and certs.
Security update: upgrading the version of Redis bundled in
the Webdis image to fix a number of severe vulnerabilities.
* Low severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727801
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* Medium severity vulnerability found in redis/redis
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727803
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Allocation of Resources Without Limits or Throttling
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727783
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: CVE-2021-32626
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727820
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727822
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727823
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727825
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727826
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
Alpine 3.12.4 uses a vulnerable version of libssl1.1
(CVE-2021-3449 and CVE-2021-3450), issues that are fixed in Alpine
3.12.5. This is not really a problem for Webdis since it doesn't use
SSL, but the vulnerability shows up on image scans and users who build
images with Webdis as the base image could be at risk if their own
changes depend on this library.
Fixes https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-587980
Even though webdis doesn't use TLS, some images could be built from the
webdis image and therefore use a vulnerable version of openssl. The fix
is in version 1.1.1g and Alpine currently has 1.1.1i.
After this change, snyk no longer report any know vulnerabilities in the
Docker image.
The Dockerfile used to refer to the latest published tag for Webdis.
This meant updating the file every time a new release was published.
This change uses the GitHub API to find the latest tag before
downloading and building the corresponding release.
* Change base image to Alpine 3.11.3
* Use multi-stage build (reducing size from 276 MB to 9.5 MB)
* Change Makefile to build with -O3 instead of -O0 -ggdb
Nicolas Favre-Felix
Jessie Murray