Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability found in curl < 7.84.0 #1314

Closed
truonghongtrieu opened this issue Jul 18, 2022 · 1 comment
Closed

Critical vulnerability found in curl < 7.84.0 #1314

truonghongtrieu opened this issue Jul 18, 2022 · 1 comment
Labels
question Usability question, not directly related to an error with the image

Comments

@truonghongtrieu
Copy link

truonghongtrieu commented Jul 18, 2022
edited
Loading

Hi Team,

Issue: the docker image of php:fpm-alpine3.16 (https://hub.docker.com/layers/php/library/php/fpm-alpine3.16/images/sha256-a35b951f68dfc3183dd7f9451c6cd21ef2ab5de4ab48bb0e4aac15d8c2cba6ff?context=explore) contains a critical CVE vulnerability found in curl-7.83.1-r1, showing in a Prisma scan job.

When are we updating curl to >= 7.84.0 for https://github.com/docker-library/php/blob/master/7.4/alpine3.16/cli/Dockerfile#L25?

  • Steps to reproduce: docker run -it --pull=always --platform=linux/amd64 --rm php:fpm-alpine3.16 apk info curl
  • Output:
fpm-alpine3.16: Pulling from library/php
Digest: sha256:89881cd27b91a91881bc782a29508fbe327ceeb12bff7bdd07c1b5ba9970c838
Status: Image is up to date for php:fpm-alpine3.16
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/community: No such file or directory
curl-7.83.1-r1 description:
URL retrival utility and library

curl-7.83.1-r1 webpage:
https://curl.se/

curl-7.83.1-r1 installed size:
256 KiB
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Jul 18, 2022
@wglambert
Copy link

Curl from Alpine's package repo is at 7.83.1-r2 https://pkgs.alpinelinux.org/package/v3.16/main/x86_64/curl so there's nothing actionable for us to do

The CVE seems to be fairly negligible https://curl.se/docs/CVE-2022-32207.html

We are not aware of any exploit of this flaw.

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, #242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@tianon tianon closed this as completed Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @truonghongtrieu @wglambert