Hello! Could you please rebuild
drone/git with refreshed packages from Alpine?
crit expat 2.2.9-r1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
This was fixed by Alpine in expat 2.2.10-r2 for branch 3.13.
I expect this bug is entirely harmless – there should be no reason to parse XML while cloning a Git repository – though the presence of this old package is enough to trip alarm bells in security tools.
(I did go hunting for a way to override the default, but it would appear as though this is a fixed constant.)
The best way is to upgrade base container to latest Alpine (3.15).
We had previously upgraded to 3.13 and then had to rollback due to dns issues with 3.13. There are also reports of dns issues in Kubernetes, and it is unclear that those are resolved in newer versions. These dns issues effectively caused outages for a large percentage of our installations. Since these security issues do not pose a practical threat to Drone users, we are taking a conservative approach to updates at this time. It is something we will look to resolve, but only once we are sure the dns issue is mitigated.
I did go hunting for a way to override the default, but it would appear as though this is a fixed constant
It is true that the image name is a constant, however, it can be overridden at a global level using the DRONE_RUNNER_CLONE_IMAGE environment variable.
That was very helpful. We’ve bumped our deployment to
I think we can close this off.
CLONE_IMAGE is a satisfactory local workaround for anyone who happens to care about this minor issue.