fix: update busybox version to fix CVE-2018-1000500

[ankitm123]

Signed-off-by: ankitm123 ankitmohapatra123@gmail.com

Fixes #1514

Description

The CVE is fixed in a newer version of busybox.

• https://nvd.nist.gov/vuln/detail/CVE-2018-1000500/cpes?expandCpeRanges=true
• https://gitlab.alpinelinux.org/alpine/aports/-/issues/11820

[google-cla]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[ankitm123]

@googlebot I signed it!

[tejal29]

Thanks @ankitm123. I have a PR open for multi-arch images. i will fix it there #1531

[vguaglione]

Has this fix been merged into the debug v0.24.0 version just yet?

[ankitm123]

Has this fix been merged into the debug v0.24.0 version just yet?

Not yet @vguaglione
https://github.com/GoogleContainerTools/kaniko/blob/v0.24.0/deploy/Dockerfile_debug#L41

[vguaglione]

@ankitm123 Ok. We are currently pinned to v0.17.1 within our environment but can bump up to v0.24.0 if the fix will not be merged into earlier versions. Can you provide guidance?

[ankitm123]

@ankitm123 Ok. We are currently pinned to v0.17.1 within our environment but can bump up to v0.24.0 if the fix will not be merged into earlier versions. Can you provide guidance?

I am not one of the maintainers of kaniko, so I am not sure, when this fix will be merged, @tejal29 is the person who knows best abt this. My hunch is that it will get merged, once the multi-arch PR is done, but I could be wrong.