CVEs during security scan

[sanalk86]

Hi Team,
Found few CVEs during the security scan, CVE-2022-22721,CVE-2022-22720, CVE-2022-23943,CVE-2022-22719 on php:7.4-apache-buster is there any way to tackle these. fixed version is 2.4.53-1 of apache.

[JoelLinn]

Hi,
have you checked if they are actually present in the image or only via stupid version check.
Debian maintainers usually backport security fixes. If not fixed, it should just be a rebuilt of the images. Or an apt upgrade on your side while thats pending.

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2022-22721
All stable variants are still vulnerable so there's nothing actionable for us to do

https://security-tracker.debian.org/tracker/CVE-2022-22720
Same as before

https://security-tracker.debian.org/tracker/CVE-2022-23943
Same as before

https://security-tracker.debian.org/tracker/CVE-2022-22719
Same situation as the others

These CVE's are all considered minor issues by the Debian security team. But when there is a patch released for apache2 you can just apt update and apt upgrade the package in your container while waiting for the next updated Official Image

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, #242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[tianon]

See also the following note from the Debian Security Team at the bottom of each of those links:

[bullseye] - apache2 <no-dsa> (Minor issue)
[buster] - apache2 <no-dsa> (Minor issue)

This is Debian's way of noting that this is effectively a "wontfix" (it might get a fix if some maintainer feels like doing the work + paperwork to get the update through, but it's not going to be fixed by the security team because it's not considered by them to be enough of an issue for them to bother).

[phydroxide]

"A CVE doesn't imply having an actual vulnerability"

Some nuance in language could use some clarification here, if you will forgive me for picking nits.

Even if the vulnerability is not exploitable it can be demonstrated in source code that the packages of prior versions ARE vulnerable in the way described.