From 362a7499c2bab2068d9afc076b57f9fb8aa20aef Mon Sep 17 00:00:00 2001 From: pyr0ball Date: Wed, 27 May 2026 10:45:04 -0700 Subject: [PATCH] fix: revert to Alpine base (Debian bookworm has 149 CVEs vs Alpine's ~36) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Debian bookworm is frozen at June 2023 package versions. Key problem: mbedtls 2.28.3-1 (bookworm) vs mbedtls 3.6.6-r0 (Alpine 3.23) CVE-2026-34875 (9.8 critical) is fixed in mbedtls 3.6.6 — which Alpine already ships. Debian bookworm won't get that update. Similarly for 5+ other critical/high mbedtls CVEs and gnutls28 CVEs. Total: 149 CVEs on Debian bookworm vs ~36 on Alpine 3.23. Alpine's rolling model ships much newer package versions, which actually means fewer accumulated CVEs in key libraries like mbedtls, despite the reputation of 'Debian stable = secure'. --- Dockerfile | 23 ++++++++++++----------- Dockerfile.handbrake | 19 ++++++++----------- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5e1526b..4391677 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,23 +2,24 @@ # ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch # openssh-client: remote encode dispatch to SSH transcode workers # -# Base: node:22-bookworm-slim (Debian bookworm) -# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's -# community ffmpeg package has had several high CVEs open for 12+ months. +# Base: node:22-alpine (Alpine 3.23) +# Alpine's rolling package model ships significantly newer versions than +# Debian stable (bookworm, frozen at June 2023). Key examples: +# mbedtls: Alpine 3.6.6 (patched) vs Debian bookworm 2.28.3 (unpatched) +# ffmpeg: Alpine 8.0.1 vs Debian bookworm 5.1.x # # HandBrake is NOT included — ffmpeg handles encoding by default. -# For HandBrake presets or forced-subtitle burn-in, use: +# For HandBrake presets or forced-subtitle burn-in: # pyr0ball/discarr:handbrake (or build from Dockerfile.handbrake) -# Or install natively: sudo bash install.sh -FROM node:22-bookworm-slim +FROM node:22-alpine -# Install ffmpeg and openssh-client, then clean apt lists -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ +# Upgrade all packages to pick up any in-branch security patches, +# then add runtime deps in the same layer. +RUN apk upgrade --no-cache && \ + apk add --no-cache \ ffmpeg \ - openssh-client && \ - rm -rf /var/lib/apt/lists/* + openssh-client # Update npm to patch bundled tar/minimatch CVEs RUN npm install -g npm@latest && npm cache clean --force diff --git a/Dockerfile.handbrake b/Dockerfile.handbrake index 71d84fa..01e2806 100644 --- a/Dockerfile.handbrake +++ b/Dockerfile.handbrake @@ -1,21 +1,18 @@ -# Discarr — HandBrake variant (Debian bookworm base) +# Discarr — HandBrake variant # Includes HandBrake for preset-based encoding and forced-subtitle burn-in. -# -# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x. -# The CVE profile is better than Alpine (Debian backports patches) but the -# HandBrake binary and its ffmpeg libs add surface area vs the default image. +# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x, +# which increases the CVE surface area compared to the default image. # Use this variant only if you specifically need HandBrake features. # # Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake . -FROM node:22-bookworm-slim +FROM node:22-alpine -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ +RUN apk upgrade --no-cache && \ + apk add --no-cache \ ffmpeg \ - handbrake-cli \ - openssh-client && \ - rm -rf /var/lib/apt/lists/* + handbrake \ + openssh-client RUN npm install -g npm@latest && npm cache clean --force