We are using openjdk:8-jdk-alpine as the base image in a docker image. Getting this jq:1.6-r0 is affected by CVE-2016-4074 and tried jq>1.6_rc1-r0 this as well. But it hasn't resolved the issue as shown below.
Here is the Dockerfile
FROM openjdk:8-jdk-alpine3.9
ENV PACKAGES="jq>1.6-r0"
Could anyone guide/suggest how can we resolve this issue?
11 Answer
Alpine 3.9 comes with an older (affected) version of jq v1.6-r0
Only Alpine 3.12 and higher comes with the fixed version of jq v1.6-r1
If you are security-aware, you should upgrade your alpine and generally use up to date versions of most things, if not, then you probably have nothing to worry about.
In regards to your follow up question in the comment, about upgrading jq without upgrading the base image:
- I do not know of a way to get an official apk package from a newer alpine.
- As with any other linux, although it is usually better to rely on the official package manager, you can still opt to build from source or download a pre-built binary.
For example, to get the latest available jq (version 1.6) on alpine, directly from the GitHub release page, you can do this:
FROM alpine RUN apk add wget RUN wget && \ mv jq-linux64 /usr/local/bin/jq && \ chmod +x /usr/local/bin/jq 3
