Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to debian bookworm (new stable) #86

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Switch to debian bookworm (new stable) #86

wants to merge 1 commit into from

Conversation

wader
Copy link
Owner

@wader wader commented Jun 15, 2023

No description provided.

@wader
Copy link
Owner Author

wader commented Jun 15, 2023

@hemberger good idea?

@wader
Copy link
Owner Author

wader commented Jun 16, 2023

Might need testing with a non-basic setup? anyone up for it?

@ogmueller
Copy link

There are some critical errors in the build. They are probably in there because of old debian, I assume.

SCAN OF mwader/postfix-relay:latest...

mwader/postfix-relay:latest (debian 10.13)
==========================================
Total: 6 (CRITICAL: 6)

┌─────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │    Status    │    Installed Version    │ Fixed Version │                         Title                          │
├─────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ db5.3-util      │ CVE-2019-8457  │ CRITICAL │ will_not_fix │ 5.3.28+dfsg1-0.5        │               │ sqlite: heap out-of-bound read in function rtreenode() │
│                 │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2019-8457              │
├─────────────────┤                │          │              │                         ├───────────────┤                                                        │
│ libdb5.3        │                │          │              │                         │               │                                                        │
│                 │                │          │              │                         │               │                                                        │
├─────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libk5crypto3    │ CVE-2024-37371 │          │ affected     │ 1.17-3+deb10u6          │               │ krb5: GSS message token handling                       │
│                 │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2024-37371             │
├─────────────────┤                │          │              │                         ├───────────────┤                                                        │
│ libkrb5-3       │                │          │              │                         │               │                                                        │
│                 │                │          │              │                         │               │                                                        │
├─────────────────┤                │          │              │                         ├───────────────┤                                                        │
│ libkrb5support0 │                │          │              │                         │               │                                                        │
│                 │                │          │              │                         │               │                                                        │
├─────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ zlib1g          │ CVE-2023-45853 │          │ will_not_fix │ 1:1.2.11.dfsg-1+deb10u2 │               │ zlib: integer overflow and resultant heap-based buffer │
│                 │                │          │              │                         │               │ overflow in zipOpenNewFileInZip4_6                     │
│                 │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-45853             │
└─────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────┴───────────────┴────────────────────────────────────────────────────────┘

@wader
Copy link
Owner Author

wader commented Sep 3, 2024

Hey! yes probably so and yes switch to latast stable as base would be good. Only problem is testing, i'm not using this image much myself a the moment so it would be good if someone with a resonable complex config could try out a build using a newer base.

@wader
Copy link
Owner Author

wader commented Sep 3, 2024

Now there is a mwader/postfix-relay:bookworm image tag if someone wants to test things. Note that i haven't tried it at all but it seems the same build actions worked fine.

Also noted that the github actions config is in some need of updates.

@ogmueller
Copy link

I could test it, but our configuration is pretty simple. So it might not be a reliable test situation.

@ogmueller
Copy link

security wise it got a lot better:

SCAN OF mwader/postfix-relay:bookworm...

mwader/postfix-relay:bookworm (debian 12.6)
===========================================
Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬──────────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │    Status    │ Installed Version │ Fixed Version │                         Title                          │
├─────────┼────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ zlib1g  │ CVE-2023-45853 │ CRITICAL │ will_not_fix │ 1:1.2.13.dfsg-1   │               │ zlib: integer overflow and resultant heap-based buffer │
│         │                │          │              │                   │               │ overflow in zipOpenNewFileInZip4_6                     │
│         │                │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45853             │
└─────────┴────────────────┴──────────┴──────────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

@wader
Copy link
Owner Author

wader commented Sep 3, 2024

👍 hmm wonder why the last one is not fixed in bookworm? what i'm mostly concerned about is compatibility with ppl:s existing setups, like config files, caches etc

@ogmueller
Copy link

Here is a short explanation, why they are ignoring it: https://security-tracker.debian.org/tracker/CVE-2023-45853.

@wader
Copy link
Owner Author

wader commented Sep 6, 2024

I guess one think we can do is to bump major version to v2, but not sure if ppl will notice :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wader @ogmueller