search

bitnami / containers

Bitnami container images
https://bitnami.com
Other
3.44k stars 4.91k forks source link

[bitnami/moodle]: Close some CVEs in vendorized Apache via upgrade #64958

Closed nickmarden closed 7 months ago

nickmarden commented 7 months ago

Name and Version

bitnami/moodle:4.3.3-debian-12-r7

What architecture are you using?

None

What steps will reproduce the bug?

$ trivy image bitnami/moodle:4.3.3-debian-12-r7 --ignore-unfixed --scanners vuln
2024-04-08T11:53:05.382-0400    INFO    Vulnerability scanning is enabled
2024-04-08T11:53:06.257-0400    INFO    Detected OS: debian
2024-04-08T11:53:06.257-0400    INFO    Detecting Debian vulnerabilities...
2024-04-08T11:53:06.286-0400    INFO    Number of language-specific files: 9
2024-04-08T11:53:06.286-0400    INFO    Detecting gobinary vulnerabilities...
2024-04-08T11:53:06.286-0400    INFO    Detecting bitnami vulnerabilities...
2024-04-08T11:53:06.293-0400    INFO    Detecting node-pkg vulnerabilities...

bitnami/moodle:4.3.3-debian-12-r7 (debian 12.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

opt/bitnami/apache (bitnami)

Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ Apache  │ CVE-2024-27316 │ HIGH     │ fixed  │ 2.4.58-8          │ 2.4.59        │ httpd: CONTINUATION frames DoS                             │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-27316                 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────────────────────┤
│         │ CVE-2023-38709 │ UNKNOWN  │        │                   │               │ Faulty input validation in the core of Apache allows       │
│         │                │          │        │                   │               │ malicious or expl...                                       │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38709                 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24795 │          │        │                   │               │ HTTP Response splitting in multiple modules in Apache HTTP │
│         │                │          │        │                   │               │ Server allo ......                                         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24795                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

What is the expected behavior?

An empty vulnerability report

What do you see instead?

Apache needs to be bumped to 2.4.59

Additional information

No response

carrodher commented 7 months ago

Thanks for creating the issue and the associated PR. During the past hours, our automated test & release pipeline released a new version of each container bundling Apache 2.4.58. At this moment there shouldn't be any container including that version. For instance, inspecting the latest version of Moodle:

$ trivy image --ignore-unfixed bitnami/moodle
2024-04-09T09:54:55.381+0200    INFO    Vulnerability scanning is enabled
2024-04-09T09:54:55.381+0200    INFO    Secret scanning is enabled
2024-04-09T09:54:55.381+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-09T09:54:55.381+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-04-09T09:54:57.470+0200    INFO    Detected OS: debian
2024-04-09T09:54:57.470+0200    INFO    Detecting Debian vulnerabilities...
2024-04-09T09:54:57.501+0200    INFO    Number of language-specific files: 9
2024-04-09T09:54:57.501+0200    INFO    Detecting bitnami vulnerabilities...
2024-04-09T09:54:57.503+0200    INFO    Detecting gobinary vulnerabilities...
2024-04-09T09:54:57.510+0200    INFO    Detecting node-pkg vulnerabilities...

bitnami/moodle (debian 12.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)