All official ruby images contain critical security issues

[mrfelton]

See https://hub.docker.com/r/library/ruby/tags/

[defektive]

are there plans to fix this?

[yosifkit]

The discussion about the node image applies here as well; specifically this comment: docker-library/official-images#2740 (comment).

We just ran a quick scan with ruby:latest and even though there are vulnerabilities classified as "critical", there are zero with actionable fixes; meaning that there are no packages in Debian upstream that contain fixes for any of the CVE's.

[mrfelton]

We just ran a quick scan with ruby:latest and even though there are vulnerabilities classified as "critical", there are zero with actionable fixes; meaning that there are no packages in Debian upstream that contain fixes for any of the CVE's.

If the exploits have been made public, then it means the fixes have also been made public.

These images should compile the affected packages from source, with patches applied if necessary in order to get versions of the packages that do not have known security flaws. Waiting for Debian to add the updated packages to their repository is irresponsible.

[md5]

@mrfelton there are a lot of assumptions baked into your statement.

In particular, you're assuming that just because the exploits have been made public that fixes have also been made public. There's no guarantee that that's true and you seem to just be making a blanket statement.

Beyond that, you're also assuming that these fixes exist in the form of ready-made patches that could easily be applied. If this were the case, then pushing Debian to include those patches would be the more responsible thing to do. If that's not the case, then there is a significant risk that comes with the Docker official image maintainers attempting to adapt any possible fixes themselves to software with which they are likely not familiar.

[mrfelton]

@md5 my bad, I should have been more clear in my statement, which was meant to suggest that where there are known fixes for known exploits these should be incorporated where possible.

Beyond that, you're also assuming that these fixes exist in the form of ready-made patches that could easily be applied.

I know for example that there are fixes available for many of the affected packages either in Edge (for Alpine), or upstream in the project's latest official release or github master branches.

If this were the case, then pushing Debian to include those patches would be the more responsible thing to do. If that's not the case, then there is a significant risk that comes with the Docker official image maintainers attempting to adapt any possible fixes themselves to software with which they are likely not familiar.

That's a fair point, although since these docker images are listed as 'official' it still seems wrong to be making them available with known vulnerabilities where fixes are readily available. The Debian, Alpine, or maintainers of other distributions have their own priorities and I suspect that in many cases it would serve the users of these docker images better to be proactive and not wait for those teams to get their act together in order to patch security holes.