Update to alpine 3.20.1 to fix CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366

[dkwakkel]

Alpine 3.20.1 which contains the fix for busybox CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366
(alpinelinux/docker-alpine#401) is a month ago released. When will the base image of node be updated to this version?

[SimenB]

See https://github.com/nodejs/docker-node/blob/main/SECURITY.md (mostly its link https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves)

[dkwakkel]

FYI: I checked the image, and saw it was using the right version of alpine and busybox which contains the fix. Still twistlock marks it is vulnerable.
Proabably given that on this page https://nvd.nist.gov/vuln/detail/CVE-2023-42366 it shows "affected configurations" as cpe:2.3:a:busybox:busybox:1.36.1:::::::* and thus twistlock still considers 1.36.1-r29 as vulnerable. Conclusion: false marked by twistlock as vulnerable.