Update curl/libcurl to >= 8.10 to fix CVE-2024-8096, e.g. in php:zts-alpine tag

[rgoltz]

Describe the issue

The most recent image tag for php:zts-alpine using an out-dated curl and libcurl version. This version is vulnerable against CVE-2024-8096. A fix is provided from curl project via version 8.10.0 (or higher). This version was released at 11 Sep 2024 containing the fix named "gtls: fix OCSP stapling Management" to resolve this CVE.

Details from Image-Scan

Vulnerability ID	CVE-2024-8096 (GHSA-gv3v-x3f3-7fxm)
Docker Scout	https://scout.docker.com/vulnerabilities/id/CVE-2024-8096
CVE with CVSS	https://www.cve.org/CVERecord?id=CVE-2024-8096
CWE Type	CWE-295: Improper Certificate Validation
Severity	Medium
Fix available	Yes
Installed version	8.9.1-r2
Fix available	8.10.0-r0
Package Manager	OS

You can find this vulnerability on docker-hub as well:

Question/Request

The latest build of image-tag php:zts-alpine on docker-hub was push at 27 Sep 2024.

• Is the image build regularly? (automatically or on request?)
• By doing the next tag-update, the latest version of curl will included in the next (and the issue here is fixed by than?)

[tianon]

It is rebuilt periodically, typically as a result of base image updates and PHP version bumps. Unfortunately, the Alpine base image doesn't update as often as it sometimes needs to, so this results in a bit of lag at the higher levels.

In regards to the CVE, is "OCSP stapling" a feature of libcurl that's commonly used in PHP projects? I don't think I've seen it used much, but that could be my sampling bias.