search

confluentinc / cp-docker-images

[DEPRECATED] Docker images for Confluent Platform.
Apache License 2.0
1.14k stars 704 forks source link

dockerhub's confluentinc/cp-zookeeper includes "Totally Legit Signing Key" apt key #798

Open trittweiler opened 5 years ago

trittweiler commented 5 years ago

The underlying security issue has been fixed by PR #720 on 2019-04-02. But it seems that the image registered as confluentinc/cp-zookeeper at dockerhub has not been re-generated after that fix.

docker exec <container_id> apt-key list includes

pub   1024R/219BD9C9 2008-09-26
uid                  Totally Legit Signing Key <mallory@example.org>

So the image must have been created before PR #720 was merged.

This is probably harmless by itself. But raises eyebrows. It certainly raised mine.

Background information for why one needs to be careful when importing keys, can be found at: https://seclists.org/oss-sec/2018/q3/174

Please consider re-generating all the images.

trittweiler commented 5 years ago

Indeed all the images in dockerhub have an io.confluent.docker.git.id of 320c29d which is a commit from 18 Feb 2019. Which is before PR #720 which was merged 2 Apr 2019.