Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability in 8-jdk-alpine image #213

Closed
cojalvo opened this issue Jul 8, 2018 · 4 comments
Closed

vulnerability in 8-jdk-alpine image #213

cojalvo opened this issue Jul 8, 2018 · 4 comments
Labels
Issue

Comments

@cojalvo
Copy link

cojalvo commented Jul 8, 2018

Hi,

We find a vulnerability in the 8-jdk-alpine image:

The scan results show that 1 ISSUE was found for the image.

Vulnerable Packages Found
=========================

Vulnerability ID   Policy Status   Affected Packages   How to Resolve   
CVE-2018-6942      Active          freetype            Upgrade freetype to >= 2.8.1-r3

Is it a known issue? does it has a fix?

Thanks
@wglambert wglambert added the Issue label Jul 9, 2018
@wglambert
Copy link

See docker-library/postgres#286 (comment) #161, #112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, #185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@tianon
Copy link
Member

tianon commented Jul 9, 2018

Looking at the Alpine bugtracker (https://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2018-6942), it does appear to have been fixed in Alpine 3.8, 3.7, 3.6, and 3.5, so we should pick up the change shortly (especially given the recently-merged #210).

@tianon tianon closed this as completed Jul 9, 2018
@IdanAdar
Copy link

IdanAdar commented Jul 18, 2018
edited
Loading

@tianon I have pulled the latest image and the scan returned the same results.
How can I verify that an image contains the fixed packages?

@yosifkit
Copy link
Member

It seems to be fine. In a freshly pulled image, it contains the package release revision that has the fix (pkgver=2.9, pkgrel=1 alpinelinux/aports@7a7493c).

$ docker pull openjdk:8-jdk-alpine
8-jdk-alpine: Pulling from library/openjdk
8e3ba11ec2a2: Pull complete 
311ad0da4533: Pull complete 
df312c74ce16: Pull complete 
Digest: sha256:1fd5a77d82536c88486e526da26ae79b6cd8a14006eb3da3a25eb8d2d682ccd6
Status: Downloaded newer image for openjdk:8-jdk-alpine
$ docker run -it --rm openjdk:8-jdk-alpine sh
/ # apk info freetype
WARNING: Ignoring APKINDEX.adfa7ceb.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.efaa1f73.tar.gz: No such file or directory
freetype-2.9.1-r1 description:
TrueType font rendering library

freetype-2.9.1-r1 webpage:
https://www.freetype.org/

freetype-2.9.1-r1 installed size:
745472

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tianon @yosifkit @cojalvo @IdanAdar @wglambert