Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump docker to version 26.1.5 to fix CVE-2024-41110 #331

Merged
merged 1 commit into from
Aug 22, 2024
Merged

Bump docker to version 26.1.5 to fix CVE-2024-41110 #331

merged 1 commit into from
Aug 22, 2024

Conversation

jericop
Copy link
Contributor

@jericop jericop commented Aug 22, 2024

Summary

This change bumps the docker library to 26.1.5 to resolve cve-2024-41110.

Use Cases

We noticed HIGH vulnerabilities when scanning containers built with the node-js buildpack caused by the 0-setup-symlinks binary from the npm-install buildpack.

cccam is used here
https://github.com/paketo-buildpacks/npm-install/blob/a01f9fc34b8cb106f8c7503f13ab70952533f157/go.mod#L9

Sample output from trivy scan

layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌──────────────────────────┬────────────────┬──────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │  Installed Version   │          Fixed Version          │                   Title                    │
├──────────────────────────┼────────────────┼──────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ v26.1.4+incompatible │ 23.0.15, 26.1.5, 27.1.1, 25.0.6 │ moby: Authz zero length regression         │
│                          │                │          │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

Checklist

  • I have viewed, signed, and submitted the Contributor License Agreement.
  • I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
  • I have added an integration test, if necessary.
  • I have reviewed the styleguide for guidance on my code quality.
  • I'm happy with the commit history on this PR (I have rebased/squashed as needed).

@jericop jericop requested a review from a team as a code owner August 22, 2024 13:45
@ForestEckhardt ForestEckhardt added the semver:patch A change requiring a patch version bump label Aug 22, 2024
@ForestEckhardt ForestEckhardt merged commit 1193f3c into paketo-buildpacks:main Aug 22, 2024
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ForestEckhardt ForestEckhardt ForestEckhardt approved these changes

@paketo-bot-reviewer paketo-bot-reviewer Awaiting requested review from paketo-bot-reviewer paketo-bot-reviewer is a code owner automatically assigned from paketo-buildpacks/tooling-maintainers

Assignees
No one assigned
Labels
semver:patch A change requiring a patch version bump
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jericop @ForestEckhardt