apache / couchdb-docker

Semi-official Apache CouchDB Docker images
https://github.com/apache/couchdb-docker
Apache License 2.0
261 stars 136 forks source link

Critical CVEs for couchdb:3.2.2 (2023-01-10) #231

Closed ThomasKroghMortensen closed 1 year ago

ThomasKroghMortensen commented 1 year ago

Expected Behavior

No Critical (or High CVE reported for image couchdb:3.2.2.

Current Behavior

Multiple CVEs are reported from Trivy scan of eh couchdb:3.2.2

couchdb-3.2.2(2023-01-10).zip

Especially the Following Critical CVEs:

Image | CVE | Severity | Age (days) | Comments | -- | -- | -- | -- | -- couchdb_3.2.2.tar|[CVE-2021-46848](https://security-tracker.debian.org/tracker/CVE-2021-46848)|critical|71| | couchdb_3.2.2.tar|[CVE-2022-32221](https://security-tracker.debian.org/tracker/CVE-2022-32221)|critical|29| | couchdb_3.2.2.tar|[CVE-2022-47629](https://security-tracker.debian.org/tracker/CVE-2022-47629)|critical|14| | ## Possible Solution Update the affected libs. See [couchdb-3.2.2(2023-01-10).zip](https://github.com/apache/couchdb-docker/files/10380801/couchdb-3.2.2.2023-01-10.zip) ## Steps to Reproduce (for bugs) Run a new image scan ## Context Security issues to deploy image ## Your Environment * Version used: (couchdb:3.2.2 (debian 11.6)) build ~2023-01-03 : ![image](https://user-images.githubusercontent.com/48994350/211508491-6fce8957-12c5-4a28-8a6c-38695d712244.png)
ThomasKroghMortensen commented 1 year ago

Anyone who knows when the next 3.2.2 image will be build?

ThomasKroghMortensen commented 1 year ago

no reply - moved to 3.3.1 Closing!