search

SeleniumHQ / docker-selenium

Provides a simple way to run Selenium Grid with Chrome, Firefox, and Edge using Docker, making it easier to perform browser automation
http://www.selenium.dev/docker-selenium/
Other
7.84k stars 2.51k forks source link

[🐛 Bug]:security vulnerabilities on selenium/node-firefox:4.22.0-20240621 image #2302

Closed e-dsouza closed 1 month ago

e-dsouza commented 1 month ago

What happened?

Security vulnerabilities on selenium/node-firefox:4.22.0-20240621 image. https://ubuntu.com/security/CVE-2024-26924 https://ubuntu.com/security/CVE-2024-26643

The issue with package linux-libc-dev version 5.15.0-112.122. The recommeded fix is to use version 5.15.0-113.123

Command used to start Selenium Grid with Docker (or Kubernetes)

Currenty using OCP container for firefox node with image selenium/node-firefox:4.22.0-20240621

Relevant log output

$ dpkg -s linux-libc-dev

Package: linux-libc-dev
Status: install ok installed
Priority: optional
Section: devel
Installed-Size: 6888
Maintainer: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: same
Source: linux
Version: 5.15.0-107.117
Replaces: linux-kernel-headers
Provides: aufs-dev, linux-kernel-headers
Conflicts: linux-kernel-headers
Description: Linux Kernel Headers for development
This package provides headers from the Linux kernel. These headers are used by the installed headers for GNU glibc and other system libraries. They are NOT meant to be used to build third-party modules for your kernel. Use linux-headers-* packages for that.

Operating System

Ubuntu

Docker Selenium version (image tag)

4.22.0-20240621

Selenium Grid chart version (chart version)

None

github-actions[bot] commented 1 month ago

@e-dsouza, thank you for creating this issue. We will troubleshoot it as soon as we can.

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

VietND96 commented 1 month ago

In the upcoming release, we expect that a huge number of vulnerabilities will be resolved with the new base OS. If possible, can you scan the image tag nightly and see those 2 CVEs are resolved and confirm? image

e-dsouza commented 1 month ago

@VietND96 Thank you. No vulnerabilities with the Nightly image. Do we have a date for the upcoming release?

VietND96 commented 1 month ago

I think probably in the 3rd week of this month when the new version of browsers and selenium-grid come

e-dsouza commented 1 month ago

@VietND96 the nightly Firefox image had linux-libc-dev version 6.8.0-36.36 (Ubuntu 24.04 LTS). I was notified of a new vulnerability. See details below.

Vulnerability: The linux-libc-dev package version 6.8.0-36.36 for selenium-node-firefox is missing security updates. It is, therefore, affected by one or more vulnerabilities. For additional informantion refer to: https://ubuntu.com/security/CVE-2024-26925

Recommended Remediation: Update linux-libc-dev from 6.8.0-36.36 to 6.8.0-38.38. For additional information refer to: https://ubuntu.com/security/CVE- 2024-26925

VietND96 commented 1 month ago

Please verify the latest image tag released 4.23.0-20240727

github-actions[bot] commented 2 days ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.