This is an automated email from the ASF dual-hosted git repository.

kezhenxu94 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-satellite.git


The following commit(s) were added to refs/heads/main by this push:
     new 70f45bb  cves: bump busybox to 1.37.0-r31, golang.org/x/net to v0.53.0 
(#254)
70f45bb is described below

commit 70f45bb7602873756001811ba2f8b427362f9346
Author: kezhenxu94 <[email protected]>
AuthorDate: Mon May 18 15:50:59 2026 +0800

    cves: bump busybox to 1.37.0-r31, golang.org/x/net to v0.53.0 (#254)
    
    * cves: bump busybox to 1.37.0-r31 to fix CVE-2025-60876
    
    Add Alpine edge/main repository to install busybox>=1.37.0-r31 which
    contains the fix for CVE-2025-60876 (MEDIUM). The fix is not yet
    backported to alpine:3.23 stable, so we pin busybox from the edge
    repository.
    
    Note: golang.org/x/net was already bumped to v0.53.0 in PR #253,
    fixing CVE-2026-33814.
    
    * cves: use --repository flag for edge busybox, avoid apk upgrade
    
    Address review feedback:
    - Use 'apk add --repository <edge>' instead of permanently adding edge
      to /etc/apk/repositories, keeping the runtime image closer to Alpine 3.23 
stable
    - Install only targeted packages (ca-certificates, libssl3, libcrypto3,
      musl, busybox) instead of upgrading all packages via apk upgrade
---
 docker/Dockerfile | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index c96c0be..de58ea3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -30,9 +30,10 @@ RUN mv 
/src/bin/skywalking-satellite-${VERSION}-linux-${TARGETARCH} /src/bin/sky
 
 FROM alpine:3.23
 
-RUN apk update --no-cache && \
-    apk upgrade --no-cache && \
-    apk add --no-cache ca-certificates "libssl3>=3.3.7-r0" 
"libcrypto3>=3.3.7-r0" "musl>=1.2.5-r11"
+RUN apk add --no-cache ca-certificates "libssl3>=3.3.7-r0" 
"libcrypto3>=3.3.7-r0" "musl>=1.2.5-r11" && \
+    apk add --no-cache \
+        --repository https://dl-cdn.alpinelinux.org/alpine/edge/main \
+        "busybox>=1.37.0-r31" "busybox-binsh>=1.37.0-r31" 
"ssl_client>=1.37.0-r31"
 
 VOLUME /skywalking/configs
 

Reply via email to