fix: revert to Alpine base (Debian bookworm has 149 CVEs vs Alpine's ~36)
Debian bookworm is frozen at June 2023 package versions. Key problem: mbedtls 2.28.3-1 (bookworm) vs mbedtls 3.6.6-r0 (Alpine 3.23) CVE-2026-34875 (9.8 critical) is fixed in mbedtls 3.6.6 — which Alpine already ships. Debian bookworm won't get that update. Similarly for 5+ other critical/high mbedtls CVEs and gnutls28 CVEs. Total: 149 CVEs on Debian bookworm vs ~36 on Alpine 3.23. Alpine's rolling model ships much newer package versions, which actually means fewer accumulated CVEs in key libraries like mbedtls, despite the reputation of 'Debian stable = secure'.
This commit is contained in:
parent
93afa60b4f
commit
362a7499c2
2 changed files with 20 additions and 22 deletions
23
Dockerfile
23
Dockerfile
|
|
@ -2,23 +2,24 @@
|
|||
# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
|
||||
# openssh-client: remote encode dispatch to SSH transcode workers
|
||||
#
|
||||
# Base: node:22-bookworm-slim (Debian bookworm)
|
||||
# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's
|
||||
# community ffmpeg package has had several high CVEs open for 12+ months.
|
||||
# Base: node:22-alpine (Alpine 3.23)
|
||||
# Alpine's rolling package model ships significantly newer versions than
|
||||
# Debian stable (bookworm, frozen at June 2023). Key examples:
|
||||
# mbedtls: Alpine 3.6.6 (patched) vs Debian bookworm 2.28.3 (unpatched)
|
||||
# ffmpeg: Alpine 8.0.1 vs Debian bookworm 5.1.x
|
||||
#
|
||||
# HandBrake is NOT included — ffmpeg handles encoding by default.
|
||||
# For HandBrake presets or forced-subtitle burn-in, use:
|
||||
# For HandBrake presets or forced-subtitle burn-in:
|
||||
# pyr0ball/discarr:handbrake (or build from Dockerfile.handbrake)
|
||||
# Or install natively: sudo bash install.sh
|
||||
|
||||
FROM node:22-bookworm-slim
|
||||
FROM node:22-alpine
|
||||
|
||||
# Install ffmpeg and openssh-client, then clean apt lists
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends \
|
||||
# Upgrade all packages to pick up any in-branch security patches,
|
||||
# then add runtime deps in the same layer.
|
||||
RUN apk upgrade --no-cache && \
|
||||
apk add --no-cache \
|
||||
ffmpeg \
|
||||
openssh-client && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
openssh-client
|
||||
|
||||
# Update npm to patch bundled tar/minimatch CVEs
|
||||
RUN npm install -g npm@latest && npm cache clean --force
|
||||
|
|
|
|||
|
|
@ -1,21 +1,18 @@
|
|||
# Discarr — HandBrake variant (Debian bookworm base)
|
||||
# Discarr — HandBrake variant
|
||||
# Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
|
||||
#
|
||||
# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x.
|
||||
# The CVE profile is better than Alpine (Debian backports patches) but the
|
||||
# HandBrake binary and its ffmpeg libs add surface area vs the default image.
|
||||
# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x,
|
||||
# which increases the CVE surface area compared to the default image.
|
||||
# Use this variant only if you specifically need HandBrake features.
|
||||
#
|
||||
# Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
|
||||
|
||||
FROM node:22-bookworm-slim
|
||||
FROM node:22-alpine
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends \
|
||||
RUN apk upgrade --no-cache && \
|
||||
apk add --no-cache \
|
||||
ffmpeg \
|
||||
handbrake-cli \
|
||||
openssh-client && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
handbrake \
|
||||
openssh-client
|
||||
|
||||
RUN npm install -g npm@latest && npm cache clean --force
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue