Critical and High Severity in alpine image in google/cloud-sdk/492.0.0-alpine

[nmeena-suki]

The alpine version of this image seems to be vulnerable to GHSA-v23v-6jw2-98fq
You need to update your docker static source version
Image: https://hub.docker.com/layers/google/cloud-sdk/492.0.0-alpine/images/sha256-201db51115dc28aea998b5caf581233733957b289169acd1d54b7102a41d4bab?context=explore

There are also other high vulnerabilites in cryptography package and the fix is available
GHSA-3ww4-gg4f-jr7f
GHSA-6vqw-3v5j-54x4

When can we expect an upgrade

[nmeena-suki]

There are 20 Vul, out of which these are fixable

[young-mmfm]

google/cloud-sdk/493.0.0-alpine also has security issues:

493.0 went back to Alpine 3.19 from Alpine 3.20. Alpine 3.20.3 currently has no known vulnerabilities: https://hub.docker.com/layers/library/alpine/3.20.3/images/sha256-33735bd63cf84d7e388d9f6d297d348c523c044410f553bd878c6d7829612735?context=explore.

Wondering if it's possible to upgrade to Alpine 3.20.3? 🙏 Thank you!

[young-mmfm]

Correction: even when upgrading to Alpine 3.20.3, there seem to be vulnerabilities specifically in py3-openssl and the google cloud CLI:

[anindyatahsin]

Alpine version update (to version 3.20) is currently blocked on the gsutil component, which is not compliant with the python 3.12 version. This is because python 3.12 is the default python version that comes with alpine version 3.20. A fix with alpine 3.20 and python 3.11 manually installed is available in the alpine-upgrade branch and currently being tested.

[anindyatahsin]

Since the alpine image is upgraded to version 3.20, the original CVEs referred in the issue are now resolved. So we are closing this now. We can address other vulnerabilities in separate issues.

We already have a pull request for upgrading alpine to 3.21. We will upgrade after some basic smoke testing.