Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities docker image #291

Closed
fazaza opened this issue Sep 8, 2021 · 1 comment
Closed

Vulnerabilities docker image #291

fazaza opened this issue Sep 8, 2021 · 1 comment
Labels
question Usability question, not directly related to an error with the image

Comments

@fazaza
Copy link

fazaza commented Sep 8, 2021

Bash Vulnerability for Debian, Fixed in 5.1-2 (https://security-tracker.debian.org/tracker/CVE-2019-18276)
current version of bash 5.0.3(1)-release
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Sep 8, 2021
@wglambert
Copy link

Redis is still on Debian Buster, however its packages are all up to date

$ docker run -it --rm redis bash
Unable to find image 'redis:latest' locally
latest: Pulling from library/redis
a330b6cecb98: Pull complete 
14bfbab96d75: Pull complete 
8b3e2d14a955: Pull complete 
5da5e1b21a2f: Pull complete 
6af3a5ca4596: Pull complete 
4f9efe5b47a5: Pull complete 
Digest: sha256:e595e79c05c7690f50ef0136acc9d932d65d8b2ce7915d26a68ca3fb41a7db61
Status: Downloaded newer image for redis:latest

root@2df778f747aa:/data# apt update && apt list --upgradeable
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [302 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [15.2 kB]
Fetched 8464 kB in 2s (3787 kB/s)                     
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Listing... Done

Also that CVE is noted by the Debian Security Team as having a "Negligible security impact" and its urgency is "unimportant"

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@tianon tianon closed this as completed Sep 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @fazaza @wglambert