Debian image openssl vulnerability?

[iainhouston]

It seems that a Dockerfile used to build an image FROM python:3.5 i.e. python:latest will be using a debian image with a vulnerable openssl.

I don't understand precisely why, as an image I built yesterday FROM debian:jessie uses the more recent openssl but an image I built today FROM python:3.5 seems to use an older one.

python:3.5 -> buildpack-deps:jessie -> buildpack-deps:jessie-scm -> buildpack-deps:jessie-curl -> debian:jessie

Is an outdated upstream debian:jessie image being inadvertently cached perhaps?

This arose from a vulnerability warning I received from a python:3.5-based image I pushed to my registry at IBM Bluemix Containers.

Security Notice: DSA-3673-2
Package : openssl
Debian Bug : 838652 838659

It was discovered that the original patch applied for CVE-2016-2182 in
DSA-3673-1 was incomplete, causing a regression when parsing
certificates. Updated packages are now available to address this
problem.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.1t-1+deb8u5.

We recommend that you upgrade your openssl packages.

[yosifkit]

This was fixed with docker-library/official-images#2179. Ran a quick check and python:3.5 does contain the fixed version:

docker pull python:3.5
3.5: Pulling from library/python

43c265008fae: Pull complete 
af36d2c7a148: Pull complete 
143e9d501644: Pull complete 
f6a5aab6cd0c: Pull complete 
132c9d275259: Pull complete 
e5dbf2ccb0ad: Pull complete 
606e98dfd3f6: Pull complete 
Digest: sha256:223993aa0c52de64dbf9c7acd0b8712145d12f18466c7a3d738a7e76e4bd1c92
Status: Downloaded newer image for python:3.5
$ docker run -it --rm python:3.5 bash
root@253a43173a3c:/# dpkg --status openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 1093
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Architecture: amd64
Version: 1.0.1t-1+deb8u5
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.1k-3+deb8u3)
Suggests: ca-certificates
Conffiles:
 /etc/ssl/openssl.cnf 7df26c55291b33344dc15e3935dabaf3
Description: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
root@253a43173a3c:/# 

Perhaps you have an older python:3.5 image and need to pull a new one? Just pulling a new debian:jessie won't update your images that are from it.

[iainhouston]

Oh good, that's reassuring that the official python is up-to-date .... a bit worrying, though, that it is so easy for me to have stale basis images.