Open tokarev-artem opened 5 years ago
Hello, we used anchore utility for docker image scanning and faced with some security issues
List of high issues:
> CVE-2015-5652 Python-2.7.9 High None https://nvd.nist.gov/vuln/detail/CVE-2015-5652 > CVE-2016-3720 jackson-2.6.7 High None https://nvd.nist.gov/vuln/detail/CVE-2016-3720 > CVE-2016-5636 Python-2.7.9 High None https://nvd.nist.gov/vuln/detail/CVE-2016-5636 > CVE-2017-1000158 Python-2.7.9 High None https://nvd.nist.gov/vuln/detail/CVE-2017-1000158 > CVE-2019-13404 Python-2.7.9 High None https://nvd.nist.gov/vuln/detail/CVE-2019-13404 > CVE-2019-14540 jackson-databind-2.9.9.3 High None https://nvd.nist.gov/vuln/detail/CVE-2019-14540 > CVE-2019-14540 jackson-databind-2.9.9.3 High None https://nvd.nist.gov/vuln/detail/CVE-2019-14540 > CVE-2019-14540 jackson-databind-2.9.9.3 High None https://nvd.nist.gov/vuln/detail/CVE-2019-14540 > CVE-2019-16335 jackson-databind-2.9.9.3 High None https://nvd.nist.gov/vuln/detail/CVE-2019-16335 > CVE-2019-16335 jackson-databind-2.9.9.3 High None https://nvd.nist.gov/vuln/detail/CVE-2019-16335 > CVE-2019-16335 jackson-databind-2.9.9.3 High None https://nvd.nist.gov/vuln/detail/CVE-2019-16335 > CVE-2019-5482 curl-7.38.0-4+deb8u15 High 7.38.0-4+deb8u16 https://security-tracker.debian.org/tracker/CVE-2019-5482 > CVE-2019-5482 libcurl3-7.38.0-4+deb8u15 High 7.38.0-4+deb8u16 https://security-tracker.debian.org/tracker/CVE-2019-5482 > CVE-2019-5482 libcurl3-gnutls-7.38.0-4+deb8u15 High 7.38.0-4+deb8u16 https://security-tracker.debian.org/tracker/CVE-2019-5482
List of medium issues:
> CVE-2010-3492 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2010-3492 > CVE-2011-3389 libgnutls-deb0-28-3.3.30-0+deb8u1 Medium None https://security-tracker.debian.org/tracker/CVE-2011-3389 > CVE-2011-3389 libgnutls-openssl27-3.3.30-0+deb8u1 Medium None https://security-tracker.debian.org/tracker/CVE-2011-3389 > CVE-2014-4616 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2014-4616 > CVE-2016-0772 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2016-0772 > CVE-2016-5699 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2016-5699 > CVE-2016-7051 jackson-2.6.7 Medium None https://nvd.nist.gov/vuln/detail/CVE-2016-7051 > CVE-2017-17522 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2017-17522 > CVE-2017-18207 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2017-18207 > CVE-2017-2616 libblkid1-2.25.2-6 Medium None https://security-tracker.debian.org/tracker/CVE-2017-2616 > CVE-2017-2616 libmount1-2.25.2-6 Medium None https://security-tracker.debian.org/tracker/CVE-2017-2616 > CVE-2017-2616 libsmartcols1-2.25.2-6 Medium None https://security-tracker.debian.org/tracker/CVE-2017-2616 > CVE-2017-2616 libuuid1-2.25.2-6 Medium None https://security-tracker.debian.org/tracker/CVE-2017-2616 > CVE-2017-2616 mount-2.25.2-6 Medium None https://security-tracker.debian.org/tracker/CVE-2017-2616 > CVE-2017-2616 util-linux-2.25.2-6 Medium None https://security-tracker.debian.org/tracker/CVE-2017-2616 > CVE-2018-1000030 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-1000030 > CVE-2018-10237 guava-11.0.2 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-10237 > CVE-2018-10237 guava-18.0 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-10237 > CVE-2018-10237 guava-20.0 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-10237 > CVE-2018-10237 guava-20.0 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-10237 > CVE-2018-1060 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-1060 > CVE-2018-1061 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-1061 > CVE-2018-11771 commons-compress-1.8.1 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-11771 > CVE-2018-14647 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-14647 > CVE-2018-18074 requests-2.11.1 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-18074 > CVE-2018-20852 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2018-20852 > CVE-2019-13627 libgcrypt20-1.6.3-2+deb8u5 Medium 1.6.3-2+deb8u6 https://security-tracker.debian.org/tracker/CVE-2019-13627 > CVE-2019-1563 libssl1.0.0-1.0.1t-1+deb8u11 Medium 1.0.1t-1+deb8u12 https://security-tracker.debian.org/tracker/CVE-2019-1563 > CVE-2019-1563 openssl-1.0.1t-1+deb8u11 Medium 1.0.1t-1+deb8u12 https://security-tracker.debian.org/tracker/CVE-2019-1563 > CVE-2019-15903 libexpat1-2.1.0-6+deb8u5 Medium 2.1.0-6+deb8u6 https://security-tracker.debian.org/tracker/CVE-2019-15903 > CVE-2019-16056 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2019-16056 > CVE-2019-16056 libpython2.7-minimal-2.7.9-2+deb8u4 Medium 2.7.9-2+deb8u5 https://security-tracker.debian.org/tracker/CVE-2019-16056 > CVE-2019-16056 libpython2.7-stdlib-2.7.9-2+deb8u4 Medium 2.7.9-2+deb8u5 https://security-tracker.debian.org/tracker/CVE-2019-16056 > CVE-2019-16056 python2.7-2.7.9-2+deb8u4 Medium 2.7.9-2+deb8u5 https://security-tracker.debian.org/tracker/CVE-2019-16056 > CVE-2019-16056 python2.7-minimal-2.7.9-2+deb8u4 Medium 2.7.9-2+deb8u5 https://security-tracker.debian.org/tracker/CVE-2019-16056 > CVE-2019-5094 e2fslibs-1.42.12-2+b1 Medium 1.42.12-2+deb8u1 https://security-tracker.debian.org/tracker/CVE-2019-5094 > CVE-2019-5094 e2fsprogs-1.42.12-2+b1 Medium 1.42.12-2+deb8u1 https://security-tracker.debian.org/tracker/CVE-2019-5094 > CVE-2019-5094 libcomerr2-1.42.12-2+b1 Medium 1.42.12-2+deb8u1 https://security-tracker.debian.org/tracker/CVE-2019-5094 > CVE-2019-5094 libss2-1.42.12-2+b1 Medium 1.42.12-2+deb8u1 https://security-tracker.debian.org/tracker/CVE-2019-5094 > CVE-2019-9636 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2019-9636 > CVE-2019-9740 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2019-9740 > CVE-2019-9947 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2019-9947 > CVE-2019-9948 Python-2.7.9 Medium None https://nvd.nist.gov/vuln/detail/CVE-2019-9948
and list of low level issues
> CVE-2019-1547 libssl1.0.0-1.0.1t-1+deb8u11 Low 1.0.1t-1+deb8u12 https://security-tracker.debian.org/tracker/CVE-2019-1547 > CVE-2019-1547 openssl-1.0.1t-1+deb8u11 Low 1.0.1t-1+deb8u12 https://security-tracker.debian.org/tracker/CVE-2019-1547
Could you update docker file with these fixes ? Thanks
Thank you for raising this issue. Confluent Platform updates (including image upgrades) are made available on a quarterly cadence. The issues have been addressed at this point in time.
Hello, we used anchore utility for docker image scanning and faced with some security issues
List of high issues:
List of medium issues:
and list of low level issues
Could you update docker file with these fixes ? Thanks