From b0ce61324198040431e0dba28f1de9e67039bbfd Mon Sep 17 00:00:00 2001 From: Ben Jee Date: Fri, 26 Sep 2025 16:21:18 -0700 Subject: [PATCH 1/4] Update libexpat and tiff to fix cves --- build/Dockerfile.nginx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index c64d1a2968..df5fe271c3 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -5,6 +5,11 @@ FROM scratch AS nginx-files ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub FROM nginx:1.29.1-alpine-otel +# the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961 respectively, +# once a new base image is available with these package updates, they can be removed +RUN apk update && apk add --no-cache \ + 'libexpat=2.7.2-r0' \ + 'tiff=4.7.1-r0' # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.2 From e8a8be10be9a2225e5debf4bed0ff3449980004d Mon Sep 17 00:00:00 2001 From: Ben Jee Date: Fri, 26 Sep 2025 16:49:56 -0700 Subject: [PATCH 2/4] Update comment --- build/Dockerfile.nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index df5fe271c3..4af506685f 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -5,7 +5,7 @@ FROM scratch AS nginx-files ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub FROM nginx:1.29.1-alpine-otel -# the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961 respectively, +# the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961/CVE-2025-9165 respectively, # once a new base image is available with these package updates, they can be removed RUN apk update && apk add --no-cache \ 'libexpat=2.7.2-r0' \ From fb26a93548b41430b61fa49e12edcfb4a92761a7 Mon Sep 17 00:00:00 2001 From: Ben Jee Date: Mon, 29 Sep 2025 13:21:01 -0700 Subject: [PATCH 3/4] Remove specific version --- build/Dockerfile.nginx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index 4af506685f..1fd1f56da5 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -6,10 +6,8 @@ ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.p FROM nginx:1.29.1-alpine-otel # the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961/CVE-2025-9165 respectively, -# once a new base image is available with these package updates, they can be removed -RUN apk update && apk add --no-cache \ - 'libexpat=2.7.2-r0' \ - 'tiff=4.7.1-r0' +# once a new base image is available with these package updates, they can be removed. libexpat >= 2.7.2-r0 and tiff >= 4.7.1-r0 are required. +RUN apk update && apk add --no-cache libexpat tiff # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.2 From eea4c799780eab8d85d90168e57e51ce07f6ef11 Mon Sep 17 00:00:00 2001 From: Ben Jee Date: Mon, 29 Sep 2025 13:27:40 -0700 Subject: [PATCH 4/4] Add versioning with greater than or eqaul symbol --- build/Dockerfile.nginx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index 1fd1f56da5..1b5078b02e 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -6,8 +6,8 @@ ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.p FROM nginx:1.29.1-alpine-otel # the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961/CVE-2025-9165 respectively, -# once a new base image is available with these package updates, they can be removed. libexpat >= 2.7.2-r0 and tiff >= 4.7.1-r0 are required. -RUN apk update && apk add --no-cache libexpat tiff +# once a new base image is available with these package updates, they can be removed. +RUN apk update && apk add --no-cache 'libexpat>=2.7.2-r0' 'tiff>=4.7.1-r0' # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.2