CVE's in promtail 2.6.1 released image

[athrunecho]

Hi, I have scanned the promtail 2.6.1 image using security tools and found some CVE issues. I found these vulnerabilities are import by x86_64-linux-gnu. Do these vulnerabilities have serious implications and is there a plan to address them?

[Vulnerability]
pcre2 10.36-2:
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-1586
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-1587

zlib 1.2.11.dfsg-2+deb11u1:
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-37434

berkeleydb 5.3.28+dfsg1-0.8
CVE: there are 19 so not post here.

gnutls 3.7.1-5+deb11u1
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-2509

openssl 1.1.1n-0+deb11u3
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-2097

pcre 8.39-13
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-20838

[DylanGuedes]

Repeating the message I shared on your other issue:
We definitely have plans to fix CVE's, thanks for reporting it. By the description of those I'm unsure how critical they are but since bumping their version will likely fix it and isn't highly time demanding, we'll probably fix them by September.

[CherryJia]

@DylanGuedes do we have a newer version released recently for both loki and promtail ? if then we will wait for a newer version , now we are on 2.5 in production now

[JStickler]

This issue is almost a year old, is there any reason to keep it open?

[chaudum]

I think we can close this issue in favour of discussing using a different, more minimal base image for Promtail, see #838

--

This does not mean that we don't take CVEs serious, but we have to distinguish between CVEs that get eliminated due to regular base image updates and CVEs that are actually exploitable through the application running that container.