node:6.9.4-alpine - zlib vulnerability

[IdanAdar]

From gliderlabs/docker-alpine#299

Hello,
In my Dockerfile I use FROM node:6.9.4-alpine.

IBM Bluemix provides a Vulnerability Advisor feature that can scan images and provide a report.
I was notified of the following:

PACKAGE   SUMMARY                                                                                                                                                                          URL   
zlib      inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.                                              
          inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.                                               
          The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.      
          The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.  

How can I address this, given that I must stay with node:6.9.4?
Will this base image be updated to address this?

Is using FROM node:6-alpine a better approach? Will it provide, at minimum, 6.9.4 or a different version?

[yosifkit]

It looks like the 6.9 series is no longer supported (it was dropped in #334). node:6-alpine should give you 6.11.0 right now and will continue to follow the 6 series until it is EOL.

The zlib vulnerabilities (CVE-2016-9843, CVE-2016-9841, CVE-2016-9840 and CVE-2016-9842) are still in the 6-alpine image and are from the base image and not added in the layers that are added in the node image. This is because it is tied to alpine:3.4 to prevent backwards incompatibilities when moving to alpine:3.6 (node:8-alpine is based on 3.6 and does not have the vulnerabilities).

I made a comment related to these exact vulnerabilities on nginx/docker-nginx#176 (comment).

[yosifkit]

I was just checking that this was fixed in alpine 3.4 and the fix is in the alpine:3.4 image, but the official build server is still in progress to push updated child images images (alpine was updated in docker-library/official-images#3086). So hopefully within the next few days, the node:6-alpine image should get the update from the rebuild.

[IdanAdar]

Thanks @yosifkit, I'll update to node:6-alpine (in a few days) and close this ticket once the issue was verified to be fixed.

[IdanAdar]

@yosifkit, how can I track the build progress?

[SimenB]

@yosifkit is this safe to close?

[IdanAdar]

Yes. node:6-alpine passes checks and node:6.9.4-alpine no longer used...
Closing my ticket.