Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities on base image 5.6 #780

Closed
irvingoe opened this issue Jul 28, 2021 · 1 comment
Closed

Vulnerabilities on base image 5.6 #780

irvingoe opened this issue Jul 28, 2021 · 1 comment
Labels
question Usability question, not directly related to an error with the image

Comments

@irvingoe
Copy link

We found the following vulnerabilities on mysql 5.6 base image
These belong to go package version 1.13.10

CVE-2021-27918
CVE-2020-28367
CVE-2020-28366
CVE-2020-28362
CVE-2020-16845

Are there any plans to update 5.6 version to address these vulnerabilities?
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Jul 28, 2021
@wglambert
Copy link

https://security-tracker.debian.org/tracker/CVE-2021-27918

encoding/xml in Go

Go/Golang isn't in the image

$ docker run -it --rm mysql:5.6 bash
Unable to find image 'mysql:5.6' locally
5.6: Pulling from library/mysql
778066204fb7: Pull complete 
4934b98a40c4: Pull complete 
24d0034f4cf8: Pull complete 
cd5c81076c53: Pull complete 
3e630bfc5120: Pull complete 
fc97236980ff: Pull complete 
9935fd852726: Pull complete 
e25ac4a39a81: Pull complete 
e8b50ae6b193: Pull complete 
9b0af3588a72: Pull complete 
0a2c92fcf3d9: Pull complete 
Digest: sha256:391f655177931dc2905b6fbf6b21d769060f8797ce1b515e8579a157afcce459
Status: Downloaded newer image for mysql:5.6
root@ce6e5194cefb:/# apt list | grep -i go

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

root@ce6e5194cefb:/#

Also buster, buster (security) is still vulnerable, so there would otherwise be nothing actionable

https://security-tracker.debian.org/tracker/CVE-2020-28367
https://security-tracker.debian.org/tracker/CVE-2020-28366
https://security-tracker.debian.org/tracker/CVE-2020-28362
https://security-tracker.debian.org/tracker/CVE-2020-16845
These are all relevant to the Go/Golang package which isn't in the image. A few of these are fixed

I'm wondering if your CVE scanner picked up on gosu being in the image and made a few assumptions

mysql/5.6/Dockerfile.debian

Lines 14 to 17 in c506174

# add gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
ENV GOSU_VERSION 1.12
RUN set -eux; \

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@tianon tianon closed this as completed Jul 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @irvingoe @wglambert