Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update bullseye image to fix critical security vulenrabilities #172

Closed
uwinkelvos opened this issue Sep 1, 2022 · 4 comments
Closed

Update bullseye image to fix critical security vulenrabilities #172

uwinkelvos opened this issue Sep 1, 2022 · 4 comments

Comments

@uwinkelvos
Copy link

uwinkelvos commented Sep 1, 2022

Hey dear maintainers,

debian upstream fixed a couple of very high cve score security vulnerabilities on bullseye.
https://www.debian.org/security/2022/dsa-5218
https://www.debian.org/security/2022/dsa-5216

Could you therefore please update the bullseye and possibly other related images?

@yosifkit
Copy link
Collaborator

yosifkit commented Sep 7, 2022

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

[...]

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- > - https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

The Debian images were updated ~16 days ago (docker-library/official-images#13005), so it could still be a couple weeks out before the images are rebuilt.

If you cannon wait for updated images, then update the specific packages to the fixed version in your own Dockerfile FROM debian:bullseye (or your dependent image of choice).

FROM debian:bullseye
RUN set -e; \
    apt-get update; \
    apt-get install -y -V \
      zlib1g=1:1.2.11.dfsg-2+deb11u2 \
      libxslt1.1=1.1.34-4+deb11u1

@uwinkelvos
Copy link
Author

uwinkelvos commented Sep 9, 2022

hey @yosifkit: Thx for the reply. I read the section in the readme and to me that read that this case should qualify as a reason to rebuild. the CVE-2022-37434 has a base score of 9.8 at NVD and although some distributions assigned a lower score (e.g. suse only 8.1), because the consider the exploitability to be harder, this is potentially a very serious issue. As zlib is very commonly used library, I would consider this "a security need".

TLDR; It would probably be really helpful if you could state very briefly how you asses CVEs and derive a need to rebuild the image from that assesment.

@ReillyBrogan
Copy link

It would be preferable to get this one out a bit early in order to pick up the 11.5 release as well.

@tianon
Copy link
Contributor

tianon commented Sep 13, 2022

Fixed via docker-library/official-images#13132

@tianon tianon closed this as completed Sep 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants