nginx:1.21.6 and nginx:1.21.6-alpine CVE-2022-23308

[seeravinder]

Please note, there is libxml2 vulnerability in nginx:1.21.6 image and now there is a fixed version of libxml2. Please can someone help to fix it and update the latest version.
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
Installed Resource - libxml2 2.9.12-r2
Fixed Version - libxml2 2.9.13-r0

[pirtleshell]

as a temporary workaround for this until the container gets rebuilt, you can manually update the package in your docker file:

FROM nginx:1.21.6-alpine

RUN apk update
RUN apk add --upgrade libxml2 libxslt

this will also resolve CVE-2021-30560 which is a similar CVE that shows up in the latest container because of libxslt

[seeravinder]

Hi Pirtleshell,
Thanks for update
Actually, I was looking to use an unprivileged image, wondering if you can point me to steps to do this fix in unprivileged image as well, probably I will need to compose the image again.

Thanks

[thresheek]

All nginx images, namely nginx:stable, nginx:latest, nginx:stable-alpine, nginx:alpine now have fixed versions of libxml2 shipped.