Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

alpine:latest has CVE-2020-1971 for libssl1.1 and libcrypto1.1 #125

Closed
redbelow opened this issue Dec 15, 2020 · 3 comments
Closed

alpine:latest has CVE-2020-1971 for libssl1.1 and libcrypto1.1 #125

redbelow opened this issue Dec 15, 2020 · 3 comments

Comments

@redbelow
Copy link

redbelow commented Dec 15, 2020
edited
Loading

Getting CVE-2020-1971 for alpine:latest (3.12.2 in this case), similar to #39:

trivy image alpine:latest
2020-12-15T13:06:34.066-0600	WARN	You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2020-12-15T13:06:35.831-0600	INFO	Detecting Alpine vulnerabilities...
2020-12-15T13:06:35.832-0600	INFO	Trivy skips scanning programming language libraries because no supported file was detected

alpine:latest (alpine 3.12.2)
=============================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+--------------------------------+-----------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |                URL                |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+-----------------------------------+
| libcrypto1.1 | CVE-2020-1971    | HIGH     | 1.1.1g-r0         | 1.1.1i-r0     | The X.509 GeneralName          | avd.aquasec.com/nvd/cve-2020-1971 |
|              |                  |          |                   |               | type is a generic type         |                                   |
|              |                  |          |                   |               | for representing different     |                                   |
|              |                  |          |                   |               | types...                       |                                   |
+--------------+                  +          +                   +               +                                +                                   +
| libssl1.1    |                  |          |                   |               |                                |                                   |
|              |                  |          |                   |               |                                |                                   |
|              |                  |          |                   |               |                                |                                   |
|              |                  |          |                   |               |                                |                                   |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+-----------------------------------+

Upgrading the packages fixes it:

cat Dockerfile 
From alpine:latest

RUN apk update && apk upgrade -U -a

docker build -t local .
Sending build context to Docker daemon  1.136MB
Step 1/2 : From alpine:latest
latest: Pulling from library/alpine
05e7bc50f07f: Pull complete 
Digest: sha256:a126728cb7db157f0deb377bcba3c5e473e612d7bafc27f6bb4e5e083f9f08c2
Status: Downloaded newer image for alpine:latest
 ---> b14afc6dfb98
Step 2/2 : RUN apk update && apk upgrade -U -a
 ---> Running in af97e3b30670
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
v3.12.2-32-g434125893a [http://dl-cdn.alpinelinux.org/alpine/v3.12/main]
v3.12.2-28-g19bfc5f39e [http://dl-cdn.alpinelinux.org/alpine/v3.12/community]
OK: 12747 distinct packages available
(1/2) Upgrading libcrypto1.1 (1.1.1g-r0 -> 1.1.1i-r0)
(2/2) Upgrading libssl1.1 (1.1.1g-r0 -> 1.1.1i-r0)
OK: 6 MiB in 14 packages
Removing intermediate container af97e3b30670
 ---> f9f6a9f4fb07
Successfully built f9f6a9f4fb07
Successfully tagged local:latest

$ trivy image local:latest
2020-12-15T13:11:15.920-0600	WARN	You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2020-12-15T13:11:16.073-0600	INFO	Detecting Alpine vulnerabilities...
2020-12-15T13:11:16.073-0600	INFO	Trivy skips scanning programming language libraries because no supported file was detected

local:latest (alpine 3.12.2)
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
@izgeri
Copy link

izgeri commented Dec 15, 2020

Is there an ETA for when this might be fixed and a new image released? Thank you :)

@ncopa
Copy link
Contributor

ncopa commented Dec 16, 2020

docker-library/official-images#9295

@ncopa ncopa mentioned this issue Dec 16, 2020
Closed
@ncopa
Copy link
Contributor

ncopa commented Dec 22, 2020

fixed with docker-library/official-images#9295

Thanks!

@ncopa ncopa closed this as completed Dec 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ncopa @izgeri @redbelow