From d072364f1ebf98b90b6f787548d2a6524df6876b Mon Sep 17 00:00:00 2001
From: bjee19 <139261241+bjee19@users.noreply.github.com>
Date: Tue, 30 Sep 2025 11:21:57 -0700
Subject: [PATCH] Update Dockerfile alpine packages for cve fixes  (#3973)

Update Dockerfile alpine packages libexpat and tiff to fix cves.
---
 build/Dockerfile.nginx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx
index 06de8c63e4..cd6ca8045e 100644
--- a/build/Dockerfile.nginx
+++ b/build/Dockerfile.nginx
@@ -5,6 +5,9 @@ FROM scratch AS nginx-files
 ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 
 FROM nginx:1.29.1-alpine-otel
+# the following apk update and add are to address CVE-2025-59375 and CVE-2025-8961/CVE-2025-9165 respectively,
+# once a new base image is available with these package updates, they can be removed.
+RUN apk update && apk add --no-cache 'libexpat>=2.7.2-r0' 'tiff>=4.7.1-r0'
 
 # renovate: datasource=github-tags depName=nginx/agent
 ARG NGINX_AGENT_VERSION=v3.3.1