Skip to content

Commit

Permalink
build: Bump gpg to alpine's edge
Browse files Browse the repository at this point in the history 
LibKSBA is a dependency to GnuPG, which has a CVE that
is yet to be patched on Alpine's stable channel. This
PR installs GnuPG from the edge channel, and should be
reverted once libksba's version 1.6.2 is in main.

https://pkgs.alpinelinux.org/packages?name=libksba&branch=edge
https://gnupg.org/blog/20221017-pepe-left-the-ksba.html

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
  • Loading branch information
Paulo Gomes committed Nov 9, 2022
1 parent 47073a3 commit d8e820b
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ RUN xx-go build -trimpath -a -o kustomize-controller main.go

FROM alpine:3.16

RUN apk add --no-cache ca-certificates tini git openssh-client gnupg
# Uses GnuPG from edge to patch CVE-2022-3515.
RUN apk add --no-cache ca-certificates tini git openssh-client && \
apk add --no-cache gnupg --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main

COPY --from=builder /workspace/kustomize-controller /usr/local/bin/

Expand Down

0 comments on commit d8e820b

Please sign in to comment.