Security issues found on the last v14 image

[Garcicasti]

Hello, and thanks for this amazing project repository!

I would like to report two critical security vulnerabilities that I have found on the lastest v14:onbuild images. These were detected by an automated tool on AWS (can't remember the name at the moment).

CVE-2019-14889  libssh:0.8.7-1+deb10u1  CRITICAL    A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

CVE-2021-3973   vim:2:8.1.0875-5    CRITICAL    vim is vulnerable to Heap-based Buffer Overflow

I'm not sure how should we go about it to fix this for everyone. Could someone guide me? Thanks!

[pedrobaeza]

A responsible disclosure of this should be better (not making this public without the solution), but we will check it. At first sight, we are using the utilities bundled by the OS, but maybe we can force such versions.

[joao-p-marques]

Well, we are at the mercy of Debian/Ubuntu packaging here :man_shrugging:

None of the CVEs seem like a dangerous problem for our usage of those tools, though. But it any case we have weekly builds of Doodba, so as soon as the fixes roll out in Debian repositories, they will land on the images.