.netopenssldockerfiledebiandebian-buster

How to upgrade OPENSSL DockerFile


I have the below docker file, as build-env, We use Debian Buster. But as our apps still are not updated, we are also using .Net5. whit this image we have OpenSSL 1.1.1n, giving us Critical security vulnerabilities. I've tried to update it but after building the image, OpenSSL still remains with the same version. Is there any way to force the update of OPENSSL??

FROM debian:buster AS build-env
WORKDIR /app

# Copy csproj and restore as distinct layers
COPY . ./

# Update, install ca-certificates, tzdata, wget.
RUN apt-get update && apt-get install -y \
  ca-certificates \
  tzdata \
  wget

# Install latest OpenSSL
RUN apk update && apk upgrade openssl

# Install .Net 5
RUN wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
RUN dpkg -i packages-microsoft-prod.deb
RUN apt-get update; \
  apt-get install -y apt-transport-https && \
  apt-get update && \
  apt-get install -y dotnet-sdk-5.0  # or dotnet-runtime-5.0 for only the runtime

#clean all existing binaries
RUN find -type d -name bin -prune -exec rm -rf {} \; && find -type d -name obj -prune -exec rm -rf {} \;

WORKDIR /app/Qu.Reporting.Api
RUN dotnet clean; dotnet restore --configfile ../NuGet.config

# Copy everything else and build
RUN dotnet publish -c Release -o out Reporting.Api.csproj

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:5.0

# set noninteractive installation and install required libraries
# RUN export DEBIAN_FRONTEND=noninteractive \
#     && apt-get update \
#     && apt-get install -y --no-install-recommends \
#     tzdata \
#     && rm -rf /var/lib/apt/lists/*

RUN apt-get update && apt-get install -y libgdiplus

WORKDIR /app

# Continue building runtime image
COPY --from=build-env /app/Reporting.Api/out/ .
ENTRYPOINT ["dotnet", "Reporting.Api.dll"]re

Thanks.


Solution

  • Your Dockerfile has multiple stages. It looks like you're attempting to upgrade OpenSSL in the build-env stage which is the stage that is building/publishing your .NET project. But that's not the final stage of the Dockerfile. The final stage is indicated by the FROM mcr.microsoft.com/dotnet/aspnet:5.0 instruction. That's the stage which produces the final image that's output by the Docker build. And in that stage, you don't upgrade Open SSL at all.

    I would recommend more than just Open SSL as there are plenty of other really packages that probably have vulnerabilities as well. I suggest replacing RUN apt-get update && apt-get install -y libgdiplus with this:

    RUN apt-get update \
          && apt-get upgrade -y \
          && apt-get install -y libgdiplus \
          && rm -rf /var/lib/apt/lists/*