-
Notifications
You must be signed in to change notification settings - Fork 579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical vulnerabilities on keydb 6.3.4 image #880
Comments
Hmm, the CVEs above is for golang, but keydb uses cpp/c? |
Yes, but these vulnerabilities are on eqalpha/keydb:latest image, which use ubuntu 20.04. |
I do not use keydb's image, but have built my own (also based on ubuntu 20.04). I cannot see go installed by default:
Can you confirm if the CVEs only affect keydb's image and not ubuntu 20.04 based images? |
The CVEs only affect keydb's image, I have scanned the ubuntu image and it doesn't have these vulnerabilities. |
Ah indeed. I can see in machamp_scripts/Dockerfile:
Likely that is the dependency that is running an older version of go. For those who can build their own image, perhaps you can try a later version using GOSU_VERSION... |
Yes, the vulnerabilities are for this package. I built an image from ubuntu and installing gosu 1.17 and the CVE-2022-23806 is fixed, but it's still affected by the other critical vulnerabilities. The following issue is created in gosu: tianon/gosu#136 |
Hi,
The keydb 6.3.4 image is affected by the following critical vulnerabilities:
CVE-2024-24790, CVE-2023-24540, CVE-2023-24538, CVE-2022-23806
Would it be possible to update the image to fix these vulnerabilities?
Thanks for your help
The text was updated successfully, but these errors were encountered: