-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update bullseye image to fix critical security vulenrabilities #172
Comments
Official Images FAQ:
The Debian images were updated ~16 days ago (docker-library/official-images#13005), so it could still be a couple weeks out before the images are rebuilt. If you cannon wait for updated images, then update the specific packages to the fixed version in your own Dockerfile FROM debian:bullseye
RUN set -e; \
apt-get update; \
apt-get install -y -V \
zlib1g=1:1.2.11.dfsg-2+deb11u2 \
libxslt1.1=1.1.34-4+deb11u1 |
hey @yosifkit: Thx for the reply. I read the section in the readme and to me that read that this case should qualify as a reason to rebuild. the CVE-2022-37434 has a base score of 9.8 at NVD and although some distributions assigned a lower score (e.g. suse only 8.1), because the consider the exploitability to be harder, this is potentially a very serious issue. As zlib is very commonly used library, I would consider this "a security need". TLDR; It would probably be really helpful if you could state very briefly how you asses CVEs and derive a need to rebuild the image from that assesment. |
It would be preferable to get this one out a bit early in order to pick up the 11.5 release as well. |
Fixed via docker-library/official-images#13132 |
Hey dear maintainers,
debian upstream fixed a couple of very high cve score security vulnerabilities on bullseye.
https://www.debian.org/security/2022/dsa-5218
https://www.debian.org/security/2022/dsa-5216
Could you therefore please update the bullseye and possibly other related images?
The text was updated successfully, but these errors were encountered: