ruby:2.1 contains vulnerabilities

[gravis]

CVE-2016-5841 (Critical, 7.5 CVSS score)
====================
Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of service (segmentation fault) or possibly execute arbitrary code via vectors involving the offset variable.

% docker run -it --rm ruby:2.1 bash
root@9287e23ae181:/# apt update
Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Get:2 http://security.debian.org jessie/updates/main amd64 Packages [423 kB]
Ign http://deb.debian.org jessie InRelease
Get:3 http://deb.debian.org jessie-updates InRelease [145 kB]
Get:4 http://deb.debian.org jessie Release.gpg [2373 B]
Get:5 http://deb.debian.org jessie Release [148 kB]
Get:6 http://deb.debian.org jessie-updates/main amd64 Packages [17.6 kB]
Get:7 http://deb.debian.org jessie/main amd64 Packages [9064 kB]
Fetched 9863 kB in 1s (6848 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
19 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@9287e23ae181:/# apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  apt imagemagick imagemagick-6.q16 imagemagick-common libapt-pkg4.12 libicu52 libmagickcore-6-arch-config libmagickcore-6-headers libmagickcore-6.q16-2 libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickcore-dev libmagickwand-6-headers libmagickwand-6.q16-2 libmagickwand-6.q16-dev libmagickwand-dev libxslt1-dev libxslt1.1 tzdata
19 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 14.8 MB of archives.
After this operation, 4219 kB of additional disk space will be used.
Do you want to continue? [Y/n] ^C

Could you please update this image?

[tobiashm]

This would be an upstream issue, i.e the buildpack-deps:jessie image, since the Ruby images doesn't install ImageMagick.

But it looks like it's been updated:

$ docker run -it --rm ruby:2.1 bash
Unable to find image 'ruby:2.1' locally
2.1: Pulling from library/ruby
75a822cd7888: Already exists 
57de64c72267: Already exists 
4306be1e8943: Already exists 
871436ab7225: Already exists 
afb684ad7765: Pull complete 
d94ccdc36092: Pull complete 
f9492c4bea1a: Pull complete 
96c68506b59a: Pull complete 
Digest: sha256:f7fa6900745821e743332551d114b56d960f90712745dee15468a8a181f3df7d
Status: Downloaded newer image for ruby:2.1
root@bc895f00a2a5:/# apt update
Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]                                  
Get:2 http://security.debian.org jessie/updates/main amd64 Packages [427 kB]                                       
Ign http://deb.debian.org jessie InRelease                                                                         
Get:3 http://deb.debian.org jessie-updates InRelease [145 kB]                                                      
Get:4 http://deb.debian.org jessie Release.gpg [2373 B]                                                            
Get:5 http://deb.debian.org jessie Release [148 kB]                                                                
Get:6 http://deb.debian.org jessie-updates/main amd64 Packages [17.6 kB]                                           
Get:7 http://deb.debian.org jessie/main amd64 Packages [9064 kB]                                                   
Fetched 9867 kB in 12s (759 kB/s)                                                                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@bc895f00a2a5:/# apt list --upgradable
Listing... Done
libxml2/stable 2.9.1+dfsg1-5+deb8u4 amd64 [upgradable from: 2.9.1+dfsg1-5+deb8u3]
libxml2-dev/stable 2.9.1+dfsg1-5+deb8u4 amd64 [upgradable from: 2.9.1+dfsg1-5+deb8u3]

[tianon]

See also docker-library/buildpack-deps#46 (comment).