caddyserver / caddy-docker

Source for the official Caddy v2 Docker Image
https://hub.docker.com/_/caddy
Apache License 2.0
423 stars 75 forks source link

CVE-2024-24790 #367

Closed ZelphirKaltstahl closed 2 months ago

ZelphirKaltstahl commented 2 months ago

The current latest official (according to https://hub.docker.com/_/caddy/tags) docker image is affected by CVE-2024-24790 (for example https://security-tracker.debian.org/tracker/CVE-2024-24790 or https://nvd.nist.gov/vuln/detail/CVE-2024-24790).

Are there any plans to upgrade to a newer version of go? If I understand correctly, 1.21.13-1 should have it fixed.

jdvorak001 commented 2 months ago

... or 1.22.4+ or 1.23.

mholt commented 2 months ago

As noted elsewhere this does not really affect Caddy, but a new image with Go 1.23 is probably a good idea.

francislavoie commented 2 months ago

No point to keep this open, it's a duplicate.

ZelphirKaltstahl commented 2 months ago

Can you link at least to that "elsewhere", so that people searching for this CVE can find that documentation as well? I think that would be helpful.

Edit: Nvm, I found it: https://github.com/caddyserver/caddy-docker/issues/361

mholt commented 2 months ago

(It's already linked above ☝️ )

itaysk commented 1 month ago

As noted elsewhere this does not really affect Caddy

@mholt Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here: https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents https://github.com/aquasecurity/vexhub Feel free to reach me or the Trivy team if you have any issues/feedback.