From b134106f674792a3c2c2186d42f3d79062dea4a7 Mon Sep 17 00:00:00 2001 From: Nicolas Favre-Felix Date: Mon, 21 Aug 2023 20:25:30 -0700 Subject: [PATCH] Switch from OpenSSL to LibreSSL in Dockerfile Many of the recent releases of Webdis have been to address major vulnerabilities in OpenSSL. I'm hoping that LibreSSL will have fewer CVEs, given its proactive approach and focus on security and code clarity. The switch is easy given that the two libraries are largely compatible with each other, meaning this will require no code change in Webdis or its Hiredis dependency. --- Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index eb25acc6..410e8800 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.18.3 AS stage LABEL maintainer="Nicolas Favre-Felix " -RUN apk update && apk add wget make gcc libevent-dev msgpack-c-dev musl-dev openssl-dev bsd-compat-headers jq +RUN apk update && apk add wget make gcc libevent-dev msgpack-c-dev musl-dev libressl-dev bsd-compat-headers jq RUN wget -q https://api.github.com/repos/nicolasff/webdis/tags -O /dev/stdout | jq '.[] | .name' | head -1 | sed 's/"//g' > latest RUN wget https://github.com/nicolasff/webdis/archive/$(cat latest).tar.gz -O webdis-latest.tar.gz RUN tar -xvzf webdis-latest.tar.gz @@ -11,9 +11,7 @@ RUN sed -i -e 's/"daemonize":.*true,/"daemonize": false,/g' /etc/webdis.prod.jso # main image FROM alpine:3.18.3 # Required dependencies, with versions fixing known security vulnerabilities -RUN apk update && apk add libevent msgpack-c openssl \ - 'redis>=6.2.10' 'libssl3>=3.0.10-r0' 'libcrypto3>=3.0.10-r0' \ - 'libssl1.1' 'libcrypto1.1>=1.1.1u-r1' && \ +RUN apk update && apk add libevent msgpack-c libressl 'redis>=7.0.10' && \ rm -f /var/cache/apk/* /usr/bin/redis-benchmark /usr/bin/redis-cli COPY --from=stage /usr/local/bin/webdis /usr/local/bin/webdis-ssl /usr/local/bin/ COPY --from=stage /etc/webdis.prod.json /etc/webdis.prod.json