Closed PascalBourdier closed 4 years ago
Hey @PascalBourdier,
Thanks for creating the PR.
I honestly don't feel very good about adding an apt-get upgrade
in the docker image. That's because it could have unwanted consequences of downloading binaries that we didn't intend in the image. I would wait for the base image to get updated, update specific binaries that are affecting the image at hand, or report the specific vulnerability to the Concourse team so we can work on patching the image accordingly.
Happy to discuss that further, Thanks!
ironically, within the last week, it seems like the aforementioned packages have been already updated in the base image ubuntu:bionic
Hey @PascalBourdier, I am going to close this for the time being, but please feel free to reopen it or create a new one if you still need this :)
@YoussB on a related note, is there any process for reporting fixable CVEs that are fixed in ubuntu:bionic but not released in the concourse image itself? In this case right now for example there's a CVE fixed for nettle in the bionic container, but there's not been a rebuild of the concourse image since -- in this case there wouldn't be a code change in this project so I'm not sure if creating an issue makes sense, or does it? These things will generally resolve themselves in time but also that doesn't mean there wasn't an issue in the interim that might be worth tracking for some?
'Fixable CVE-2021-20305 (CVSS 8.1) found in component 'nettle' (version 3.4-1) in container 'worker', resolved by version 3.4-1ubuntu0.1'
@danekantner we're now doing vulnerability scanning (https://github.com/concourse/ci/pull/397) on all our images (see it in action here), and are working on a process(https://github.com/concourse/ci/pull/395) to patch our released images
some fix are available (libc-bin, libc6, libgnutls30)
avoid following security issues :