CVE’s in base Postgres image

[4everinbeta]

I just ran this image through my company's blackduck container scan and the following CVE's were detected. Let me know what other information is needed to make this an effective issue report.

libidn2

• CVE-2019-18224
• CVE-2019-12290

runc

• CVE-2019-5736
• CVE-2019-16884

libsecomp

• CVE-2019-9893

berkeleydb

• CVE-2016-0694
• CVE-2016-3418
• CVE-2016-0682
• CVE-2016-0692
• CVE-2016-0689
• CVE-2017-3606
• CVE-2017-3605
• CVE-2017-3604
• CVE-2017-3607
• CVE-2017-3608
• CVE-2017-3613
• CVE-2017-3615
• CVE-2017-3617
• CVE-2017-3611
• CVE-2017-3616
• CVE-2017-3610
• CVE-2017-3612
• CVE-2017-3614
• CVE-2017-3609

kerberos

• CVE-2000-0548
• CVE-2000-0546
• CVE-2000-0547

tar

• CVE-2018-20990
• CVE-2019-9923

glibc

• CVE-2018-20796
• CVE-2019-9192

shadow

• CVE-2019-16110

gnupg

• CVE-2019-13050

selinux

• CVE-2011-3151

procps

• CVE-2018-1121

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And #286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, #286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[4everinbeta]

Thank you @wglambert that makes sense. Unfortunately my company doesn't allow any containers to be used that have any reported severe or high cve's. :(

[yosifkit]

Here, I linkified the CVE's to Debian's bug tracker (since postgres images are based on Debian). As @wglambert mentioned, all of these are not even applicable vulnerabilities since the package isn't installed or is already fixed, so you may want to report that to your scanner.

libidn2

• https://security-tracker.debian.org/tracker/CVE-2019-18224 "libidn2-0 (Vulnerable code not present)"
• https://security-tracker.debian.org/tracker/CVE-2019-12290 "Minor issue; intrusive to backport"

runc (ummm, runc or lxc are not installed in the postgres image)

• https://security-tracker.debian.org/tracker/CVE-2019-5736
• https://security-tracker.debian.org/tracker/CVE-2019-16884

libsecomp

• https://security-tracker.debian.org/tracker/CVE-2019-9893 "No security issue by itself"

berkeleydb: "NOT-FOR-US: Oracle Berkeley DB (later closed source releases)"

• https://security-tracker.debian.org/tracker/CVE-2016-0694
• https://security-tracker.debian.org/tracker/CVE-2016-3418
• https://security-tracker.debian.org/tracker/CVE-2016-0682
• https://security-tracker.debian.org/tracker/CVE-2016-0692
• https://security-tracker.debian.org/tracker/CVE-2016-0689
• https://security-tracker.debian.org/tracker/CVE-2017-3606
• https://security-tracker.debian.org/tracker/CVE-2017-3605
• https://security-tracker.debian.org/tracker/CVE-2017-3604
• https://security-tracker.debian.org/tracker/CVE-2017-3607
• https://security-tracker.debian.org/tracker/CVE-2017-3608
• https://security-tracker.debian.org/tracker/CVE-2017-3613
• https://security-tracker.debian.org/tracker/CVE-2017-3615
• https://security-tracker.debian.org/tracker/CVE-2017-3617
• https://security-tracker.debian.org/tracker/CVE-2017-3611
• https://security-tracker.debian.org/tracker/CVE-2017-3616
• https://security-tracker.debian.org/tracker/CVE-2017-3610
• https://security-tracker.debian.org/tracker/CVE-2017-3612
• https://security-tracker.debian.org/tracker/CVE-2017-3614
• https://security-tracker.debian.org/tracker/CVE-2017-3609

kerberos: "NOT-FOR-US: Data pre-dating the Security Tracker"

• https://security-tracker.debian.org/tracker/CVE-2000-0548
• https://security-tracker.debian.org/tracker/CVE-2000-0546
• https://security-tracker.debian.org/tracker/CVE-2000-0547

tar

• https://security-tracker.debian.org/tracker/CVE-2018-20990 "rust-tar (Fixed with initial upload to archive)"
• https://security-tracker.debian.org/tracker/CVE-2019-9923 "Crash in CLI tool, no security impact"

glibc

• https://security-tracker.debian.org/tracker/CVE-2018-20796 "No[t] treated as vulnerability"
• https://security-tracker.debian.org/tracker/CVE-2019-9192 "DISPUTED" "NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern."

shadow

• https://security-tracker.debian.org/tracker/CVE-2019-16110 "NOT-FOR-US: Blade Shadow"

gnupg

• https://security-tracker.debian.org/tracker/CVE-2019-13050 "NOT-FOR-US: Conceptual weakness in PGP keyserver design"

selinux

• https://security-tracker.debian.org/tracker/CVE-2011-3151 "NOT-FOR-US: Historic Ubuntu init script issue"

procps

• https://security-tracker.debian.org/tracker/CVE-2018-1121 "unimportant"