Snyk scan reports `CVE-2024-5535` on `gcr.io/distroless/nodejs18-debian12:nonroot`

[pete-woods]

• [x] I have read the SECURITY.md
• [x] I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
• [x] this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker https://security-tracker.debian.org/tracker/CVE-2024-5535

I don't really understand why this is happening, as Debian seems to have released a fix for bookworm. However the tracker does show an outdated version in the security repo?

It kinda looks like the image is picking up the older openssl release from the security repository.

This is the output from our security scanner (Snyk), which seems to indicate the distroless image contains the older release:

+--------------+-----------+------------------+--------------------+----------+-----------------------------------------------------------+------------------+------------+------------------+-----------+
| PACKAGE NAME | NAMESPACE | VERSION          | VULNERABILITY NAME | SEVERITY | LINK                                                      | FIX VERSION      | STATUS     | IN GRACE PERIOD? | DAYS LEFT |
+--------------+-----------+------------------+--------------------+----------+-----------------------------------------------------------+------------------+------------+------------------+-----------+
| openssl      | debian:12 | 3.0.14-1~deb12u2 | CVE-2024-5535      | Critical | https://security-tracker.debian.org/tracker/CVE-2024-5535 | 3.0.15-1~deb12u1 | VULNERABLE | false            |         0 |
| openssl      | debian:12 | 3.0.14-1~deb12u2 | CVE-2024-9143      | Medium   | https://security-tracker.debian.org/tracker/CVE-2024-9143 | 3.0.15-1~deb12u1 | VULNERABLE | false            |         0 |
+--------------+-----------+------------------+--------------------+----------+-----------------------------------------------------------+------------------+------------+------------------+-----------+

[pete-woods]

Hmm - this bot PR for the base seems relevant https://github.com/GoogleContainerTools/distroless/pull/1710

It looks to be bumping openssl to 3.0.15

[Kalovelo]

Got on this as well, wondering if there's a workaround to install the latest version while waiting for the merged PR

[pete-woods]

Based on a quick snoop around, it looks like loosebazooka is the one person merging machine keeping on top of the PRs from the bot.

[pete-woods]

1710 is merged now!