There is no manifest for tag 7.88.1.
$ docker manifest inspect curlimages/curl:7.88.1
no such manifest: docker.io/curlimages/curl:7.88.1

Previous tag contains manifest:
$ docker manifest inspect curlimages/curl:7.87.0

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 2617,
         "digest": "sha256:904f15d15a2551bcee907137d23fc60debfaf8a8efd7efd286eca85a57d627b5",
         "platform": {
            "architecture": "arm",
            "os": "linux",
            "variant": "v7"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 2617,
         "digest": "sha256:4311823d3576c0b7330beccbe09896ff0378c9c1c6f6974ff9064af803fed766",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 2617,
         "digest": "sha256:5cd8d7b26a7700752d4ffcbe24994afbe81ebb4376baeb0bffcf49eb653745be",
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 2617,
         "digest": "sha256:1acc18bd8564f6353734484246f21f79f942b41f86b69196bcfc9f1535a2a36d",
         "platform": {
            "architecture": "ppc64le",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 2617,
         "digest": "sha256:373f9da4cd428845abe05247f17afa2da6aa2377d1ae98f0637338ab9e8fb8bc",
         "platform": {
            "architecture": "s390x",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 2617,
         "digest": "sha256:95fea1d44f98104d04fff9ed50971e48e5caf14fd29e11c2c8755f8b534a3cd3",
         "platform": {
            "architecture": "386",
            "os": "linux"
         }
      }
   ]
}

$ docker version
Client: Docker Engine - Community
 Version:           20.10.22
 API version:       1.41
 Go version:        go1.18.9
 Git commit:        3a2c30b
 Built:             Thu Dec 15 22:28:04 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.17
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.5
  Git commit:       a89b842
  Built:            Mon Oct 17 06:20:42 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.6.6
  GitCommit:        10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc:
  Version:          1.1.2
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

After version 7.77 curl is not able to resolve hosts:

kubectl run --restart Never --image curlimages/curl:7.80.0 curl -- domain.com
kubectl logs curl

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: domain.com

kubectl delete pod curl
kubectl run --restart Never --image curlimages/curl:7.77.0 curl -- domain.com
kubectl logs curl

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
100   162  100   162    0     0    295      0 --:--:-- --:--:-- --:--:--   295

I think this is due to problems with Alpine and Kubernetes dns reported, like this: https://www.openwall.com/lists/musl/2018/03/30/7

deeper scanning reveals an issue with openssl for alpine 3.11.5

this is captured in travis build log here
https://travis-ci.org/github/curl/curl-docker/builds/682221352#L22408

openssl | CVE-2020-1967 is described here
https://nvd.nist.gov/vuln/detail/CVE-2020-1967

Please build the binary with Metalink support.

Thanks

There is security vulnerability (CVE-2022-37434) in alpine image and curl-docker image is using that image as a base image .

upgrade to alpine:3.15 should fix the problem.

SecurityVulnerability--> https://access.redhat.com/security/cve/CVE-2022-37434

Is it possible to include OpenSSL?

I need to sign HMAC and it requires the openssl command.

showing Release-Date: [unreleased] ... need to investigate

In a gitlab pipeline I'm using curlimages/curl to execute simple curl commands like:

curl -H "$HEADER_ACCEPT" -u "$CREDENTIALS" "https://${DOCKER_REGISTRY}/v2/${DOCKER_REPO}/manifests/${CI_COMMIT_SHA}"

It worked well with latest tag until the release of 8.1.0. The error now is:

* Closing connection -1
curl: (3) URL using bad/illegal format or missing URL

Reverting back to 7.88.1 solved the problem

$ docker run curlimages/curl --http3
curl: option --http3: the installed libcurl version doesn't support this

This sounds like curl would support HTTP/3, but the wrong or old version of libcurl is used. Can this docker image be updated so it supports HTTP/3? (Yes, I know the feature is experimental.)

https://alpinelinux.org/posts/Alpine-3.15.2-released.html

parent issue for implementing initial version of official curl docker image

Hi curl hackers, for http3 support we need to update libcurl library, is it possible ? ( I tested on ubuntu 18.04 + your curl-docker )
@xquery @bagder @ducksecops
docker run --rm curlimages/curl:7.71.1 --http3 https://www.cloudflare.com/ -I
curl: option --http3: the installed libcurl version doesn't support this
curl: try 'curl --help' or 'curl --manual' for more information

Looks, like pass env doesnt work docker run -e LD_LIBRARY_PATH='/usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0' --rm curlimages/curl:7.71.1 --http3 https://www.cloudflare.com/ -I

The currently published curl-docker:7.75.0 contains libcrypto and libssl 1.1.1i-r0 which is vulnerable to CVE-2021-23840.
Can you please rebuild/publish the current code? Alpine updated their repos with libssl and libcrypto 1.1.1j-r0

This is the scan result

Image                     ID                  CVE              Package    Version      Severity    Status                CVSS
-----                     --                  ---              -------    -------      --------    ------                ----
curlimages/curl:7.69.0    bdd0d907e7f31dfe    CVE-2019-1551    openssl    1.1.1d-r0    medium      fixed in 1.1.1d-r2    5.3

It will be cool if this docker image has alternative tags with bash, sometimes ash is pretty limited

quay.io reported existence of CVE related to musl

It would be great if you could do the steps to get into Dockers standard library aka "Official Images".

There are some administrative steps to fulfill:
https://github.com/docker-library/official-images#contributing-to-the-standard-library

This will enhance maintenance, trust and visibility of this Docker image. Images in the library are also rebuilt against new base image releases and it supports multiarch builds.

curl/curl as the image name isn't quite right.

Very nitty I know. :-)

Thanks for the image.

trivy image curlimages/curl
2021-08-30T15:34:48.134+0200 WARN You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2021-08-30T15:34:48.139+0200 INFO Need to update DB
2021-08-30T15:34:48.139+0200 INFO Downloading DB...
23.09 MiB / 23.09 MiB [--------------------------------------------------------------------------------------------------------------------------] 100.00% 1.14 MiB p/s 21s
2021-08-30T15:35:15.867+0200 WARN This OS version is not on the EOL list: alpine 3.14
2021-08-30T15:35:15.867+0200 INFO Detecting Alpine vulnerabilities...
2021-08-30T15:35:15.867+0200 INFO Trivy skips scanning programming language libraries because no supported file was detected
2021-08-30T15:35:15.867+0200 WARN This OS version is no longer supported by the distribution: alpine 3.14.0
2021-08-30T15:35:15.868+0200 WARN The vulnerability detection may be insufficient because security updates are not provided

curlimages/curl (alpine 3.14.0)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools | CVE-2021-36159 | CRITICAL | 2.12.5-r1 | 2.12.6-r0 | libfetch before 2021-07-26, as |
| | | | | | used in apk-tools, xbps, and |
| | | | | | other products, mishandles... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

See curl/curl#3714

Looks like commit a9663b8 duplicated the following line:

COPY --from=builder "/alpine/usr/local/lib/libcurl.so" "/usr/lib/libcurl.so"

Using this image in a jenkins slave pod fails.

Here is an example jenkinsfile (using the Kuberneted plugin):

podTemplate(
  containers: [
    containerTemplate(
      image: "curlimages/curl:7.70.0",
      name: 'curl',
      command: 'cat',
      ttyEnabled: true
    )
  ]
)
{
node(POD_LABEL){

  stage('Curl google'){
    container('curl') {
      sh "curl google.com"
    }
  }
}
}

Which fails with:

[Pipeline] stage
[Pipeline] { (Curl google)
[Pipeline] container
[Pipeline] {
[Pipeline] sh
process apparently never started in /home/jenkins/agent/workspace/network-debugger_master@tmp/durable-6e3552c0
(running Jenkins temporarily with -Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true might make the problem clearer)
[Pipeline] }

Meanwhile, the following Jenkinsfile works as expected:

podTemplate(
  containers: [
    containerTemplate(
      image: "centos:8",
      name: 'curl',
      command: 'cat',
      ttyEnabled: true
    )
  ]
)
{
node(POD_LABEL){

  stage('Curl google'){
    container('curl') {
      sh "curl google.com"
    }
  }
}
}

Hi, is there a plan to create multi-arch images to add arm64 and armhf architectures?

I've just noticed that an upgrade from 8.00.1 to 8.1.0 has caused a curl command to fail to load a p12 certificate. The error returned is not very verbose:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0
      0 --:--:-- --:--:-- --:--:--     0*   Trying 88.99.146.130:443...
* Connected to pdns.roobre.es (88.99.146.130) port 443 (#0)
* ALPN: offers h2,http/1.1
* could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported

The command triggering this is:

curl -SvX PATCH -H "Content-Type: text/json" -d "something something" -H "X-API-Key: $API_KEY" "https://pdns.roobre.es/api/v1/servers/localhost/zones/$zone" -E "/roobre-k8s.p12:$CERT_PASS" --cert-type P12

$CERT_PASS contains the correct password for /roobre-k8s.p12, and the same command works on curlimages/curl:8.00.1.

I should be able to provide some more info if needed :)

Hi.

Since curl is commonly used for downloading files, it would be nice to allow something like this:

docker run --rm curlimages/curl:lastest <host>/some-file.txt --output some-file.txt

so, the above command would be equivalent as:

curl <host>/some-file.txt --output some-file.txt

however, if you try this in the current curl-docker, it raises the following error:

➜  ~ docker run --rm curlimages/curl:7.67.0 https://www.google.com/humans.txt --output humans.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file humans.txt: Permission denied
100   286  100   286    0     0    561      0 --:--:-- --:--:-- --:--:--   562
curl: (23) Failed writing body (0 != 286)

regards,

Hi All,

I have curl install which is having version 7.29.0 and I want to upgrade to the latest of v7.78.0 but issue is that i want to upgrade curl inside the docker container when i try to upgrade curl its showing the 7.29.0 version and also docker container command are using yum NOT apt.

I try to create a new Dockerfile in that its not working while creating image its showing curl v7.29.0

Please update curlimages/curl to 8.1.2 to get fixes such as that for curl/curl#11194.

i would like to have "curl_user" user to access the "ping" protocol with this image. Currently the ping has only root access,

[asdfa-0 ~(asdfa)]$ kubectl exec -it client-pod -- ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: permission denied (are you root?)
command terminated with exit code 1

is there a way to execute it as root?

Hello.
I have a problem because looks like curl doesn't recognize env variables.

E.g.

$ docker run -e "HOST1=vm1.sucharka.pl" --rm curlimages/curl:7.83.1 $HOST1                                                                                                                                    
curl: try 'curl --help' or 'curl --manual' for more information

Is it possible to use ENV variables in curl image or I need to create my own image with /bin/sh entrypoint?

I tried upload a local file to my ftp server using this command:

docker run --rm curlimages/curl --T test.txt ftp://ftp_user:[email protected]

I get the following error:

curl: Can't open 'test.txt'!

Of course, if I just write the command with curl, it's ok:

curl --T test.txt ftp://ftp_user:[email protected]

I suppose it can't work because test.txt is not in the container.
With other containers, I'm used to specify a -v "$PWD:/workdirectory" option, but I dont' know if it's available in this container.

Am I missing an option or a work directory to use local files?

Thanks.

Just downloaded the latest curl docker image from dockerhub and going into the container I don't see support for SFTP?

https://curl.se/changes.html#7_74_0

Given the CVEs being patched in the two versions it would be great with a release with the newest alpine version included.

Currently, we see in https://github.com/curl/curl-docker/blob/master/alpine/latest/Dockerfile#L77 that the docker container is being run as a specific user, while from a security point of view, this sounds sensible initially, it is actually wrong from the docker point of view for the following reasons:

• If the container is to be run as root (for whatever reason the user has) has to be forced with --user 0:0, which is very counter intuitive compared to other docker containers.
• If a user of the container wishes to use it as its base for things (for example to add git, by doing apk add git) this is no longer possible (permission denied). This especially breaks behavior for CI systems, such as gitlab for example, where one would pick this container as its base image, and then add stuff on top of it for their use

It's best to follow standard docker practices, by not forcing some arbitrary user in the default configuration.

Before 7.86.0 version, the image used the NO_PROXY and no_proxy environment variable. It does not work anymore since 7.86.0 version.

Why not tag the latest docker image with "latest"?

If it was tagged, "docker pull curlimages/curl" would work (see the suggested pull command on: https://hub.docker.com/r/curlimages/curl).

we are pinned at alpine 3.12.5 for release as we encounter some resolving issue with alpine 3.13 ... need to investigate

This is an experimental feature, so make fails:

docker build --compress --squash --build-arg CURL_CONFIGURE_OPTION= --build-arg CURL_RELEASE_TAG=curl-7_66_0 --build-arg CURL_RELEASE_VERSION=7_66_0 --build-arg CURL_GIT_REPO=https://github.com/curl/curl.git --label Name=curl --label Version=1.0.0 --label se.haxx.curl=curl --label se.haxx.curl.version=7_66_0 --label se.haxx.curl.release_tag=curl-7_66_0 --label se.haxx.curl.description="network utility" -t "curl/curl:7_66_0" -f Dockerfile .

"--squash" is only supported on a Docker daemon with experimental features enabled

See https://docs.docker.com/engine/reference/commandline/image_build/ which requires --experimantal true in the docker daemon config.

Why is this experimental option needed? The build already use multi-stage Dockerfile , so if the goal is to reduce the 3 layers from COPY perhaps it could work to replace them with:

COPY --from=builder /alpine/usr/local/ /usr/

Or if we really do not want the other things from /usr/local perhaps prepare the /usr-to-be first within the builder steps as a new /target/usr or so - however I would think at least the curl license was required to copy over?

We are unable to use your image as we've detected this vulnerability.
I'm happy to raise a PR to address this.

Scan results for image curlimages/curl:latest

Vulnerabilities
+----------------+----------+------+-----------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | GRACE DAYS | DESCRIPTION |
+----------------+----------+------+-----------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+
| CVE-2021-30139 | high | 7.50 | apk-tools | 2.10.5-r1 | fixed in 2.10.6-r0 | 27 days | < 1 hour | -8 | In Alpine Linux apk-tools before 2.12.5, the |
| | | | | | 27 days ago | | | | tarball parser allows a buffer overflow and crash. |
+----------------+----------+------+-----------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image curlimages/curl:latest: total - 1, critical - 0, high - 1, medium - 0, low - 0
Scan failed due to vulnerability policy violations: Fail on High or above vulnerabilities, 1 vulnerabilities, [high:1]

github container registry, quay, etc

If you try to run the image in a Kubernetes cluster that has a PSP policy for nonRoot, you get the following error:

Error: container has runAsNonRoot and image has non-numeric user (curl_user), cannot verify user is non-root

In the Dockerfile when the curl_user is created if we set the UID then to something we know and then change the USER line to be the UID of the curl_user then I think it will solve this without negatively impacting the current design/setup.

Travis CI changed their infrastructure and policies for open source repos:
https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing

It seems that they started to limit the concurrent builds for open source projects recently: https://www.traviscistatus.com/

Tests will stop working completely by the end of the year:

We are announcing that travis-ci.org will be officially closed down completely no later than December 31st, 2020

https://docs.travis-ci.com/user/migrate/open-source-repository-migration