Fix cves for libcrpyto3 and libssl3 (#3993) (#3995)

bjee19 · web-flow · commit d7be3deaaad8 · 2025-10-01T21:37:59.000Z
Update Dockerfile alpine packages libcrpyto3 and libssl3 to fix cves.
diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx
@@ -5,9 +5,9 @@ FROM scratch AS nginx-files
 ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 
 FROM nginx:1.29.1-alpine-otel
-# the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961/CVE-2025-9165 respectively,
+# the following apk update and add are to address CVE-2025-59375, CVE-2025-8961/CVE-2025-9165, CVE-2025-9230, and CVE-2025-9231/CVE-2025-9232 respectively.
 # once a new base image is available with these package updates, they can be removed.
-RUN apk update && apk add --no-cache 'libexpat>=2.7.2-r0' 'tiff>=4.7.1-r0'
+RUN apk update && apk add --no-cache 'libexpat>=2.7.2-r0' 'tiff>=4.7.1-r0' 'libcrypto3>=3.5.4-r0' 'libssl3>=3.5.4-r0'
 
 # renovate: datasource=github-tags depName=nginx/agent
 ARG NGINX_AGENT_VERSION=v3.3.1
