nextcloud:latest is based on debian buster and uses old apache version

[hubi-hubi]

hello
first thank you for all the work!

I use a docker-compose setup which uses nextcloud:latest

docker-compose images
Container Repository Tag Image Id Size

nextcloud nextcloud latest 2f8c2f1cae24 868.6 MB
nextcloud-db mariadb latest 6d5c5ed114ad 407.6 MB

Last week a lot of CVE for apache were mentioned and one should upgrade to at lease 2.46.something.

nextcloud:latest still uses:
docker exec -it nextcloud /bin/bash
root@22...a:/var/www/html# dpkg -l | grep apa
ii apache2 2.4.38-3+deb10u4

https://packages.debian.org/buster/apache2
shows:
dep: apache2-bin (= 2.4.38-3+deb10u4)for buster
dep: apache2-bin (= 2.4.46-4~bpo10+1) for buster-backports
dep: apache2-bin (= 2.4.46-4) [alpha] for sid
dep: apache2-bin (= 2.4.48-3) [nicht alpha]for sid

to maintain the "A safe home for all your data" statement, the apache version of nextcloud should use at least all the backports
(or alpine as the fpm version does, alpine 3.14 uses 2.4.48)

I'm not sure if the apache is exploitable in the config nextcloud uses, but resent packages are probably safer than old ones.

Thank you

[hubi-hubi]

Hello
I tried to build this myself (which I really don't want to to every day to emulate docker pull for the official images)
I had to build my own php image (https://github.com/docker-library/php) by changing its Dockerfile from buster to bullseye
(good idea to do so? who knows)
on top of that image I build nextcloud (by changing Dockerfile-debian.template busert -> bullseye)
and did a docker build . -t nextcloud:foobar . in 22.0/apache

Of course I don't have any testbed to test whatever I build except my own little installation, but it runs on my system so lets ship it.

Please get the official image up to date. Thanks

[J0WI]

https://security-tracker.debian.org/tracker/source-package/apache2 is a more reliable source to track security issues in Debian packages. Bullseye is now stable and docker-library/php#1190 and #1562 should fix this issue.

[hubi-hubi]

Hello

Perhaps my issue wasn't expressed clearly, I don't wanted to say "use underlaying os xyz" more likely "use a secure version of apache" in official builds people will download by "docker pull nextcloud"

Wether its bullseye, security-tracker mentioned above, alpine ... is your decision.

Bug closed, so I changed my docker-compose file from selfmade image back to nextcloud:
(docker-compose pull done of course)

dpkg -l | grep apa
ii apache2 2.4.38-3+deb10u5

I'm not sure if 10u4 -> 10u5 fixes all the CVE, but
cat /etc/debian_version
10.10
does not look like bullseye, so back to my own image ...

[J0WI]

Please have a look at

• https://github.com/docker-library/faq#an-images-source-changed-in-git-now-what
• https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

Bullseye will be part of the next rebuild.