cruizba
commented
12 months ago I've updated the images with new Docker, buildx and compose versions. Even the latest image is now Ubuntu 22.04.
Check it out.
Closed sathvikbu closed 12 months ago
cruizba
commented
12 months ago I've updated the images with new Docker, buildx and compose versions. Even the latest image is now Ubuntu 22.04.
Check it out.
cruizba
commented
12 months ago This is the result of the latest image at 11 September 2023:
2023-09-11T01:33:25.059+0200 INFO Vulnerability scanning is enabled
2023-09-11T01:33:25.059+0200 INFO Secret scanning is enabled
2023-09-11T01:33:25.059+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-11T01:33:25.059+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-09-11T01:33:53.861+0200 INFO Detected OS: ubuntu
2023-09-11T01:33:53.861+0200 INFO Detecting Ubuntu vulnerabilities...
2023-09-11T01:33:53.864+0200 INFO Number of language-specific files: 4
2023-09-11T01:33:53.864+0200 INFO Detecting gobinary vulnerabilities...
cruizba/ubuntu-dind (ubuntu 22.04)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/local/bin/dockerd (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │ MEDIUM │ fixed │ v0.2.3 │ 0.2.4 │ SecureJoin: on windows, paths outside of the rootfs could be │
│ │ │ │ │ │ │ inadvertently produced... │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-6xv5-86q9-7xr8 │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
It is a CVE in the docker binary of a library they use on Windows systems. I will try to keep images up to date, so this issue can be closed.
`trivy image --ignore-unfixed cruizba/ubuntu-dind 2023-09-06T22:11:53.627+0530 INFO Vulnerability scanning is enabled 2023-09-06T22:11:53.627+0530 INFO Secret scanning is enabled 2023-09-06T22:11:53.627+0530 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-09-06T22:11:53.627+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection 2023-09-06T22:11:53.650+0530 INFO Detected OS: ubuntu 2023-09-06T22:11:53.650+0530 INFO Detecting Ubuntu vulnerabilities... 2023-09-06T22:11:53.655+0530 INFO Number of language-specific files: 2 2023-09-06T22:11:53.655+0530 INFO Detecting gobinary vulnerabilities...
cruizba/ubuntu-dind (ubuntu 20.04)
Total: 23 (UNKNOWN: 0, LOW: 14, MEDIUM: 9, HIGH: 0, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ curl │ CVE-2023-28321 │ LOW │ 7.68.0-1ubuntu2.18 │ 7.68.0-1ubuntu2.19 │ IDN wildcard match may lead to Improper Cerificate │ │ │ │ │ │ │ Validation │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28321 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28322 │ │ │ │ more POST-after-PUT confusion │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28322 │ ├────────────────┼────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ libcurl4 │ CVE-2023-28321 │ │ │ │ IDN wildcard match may lead to Improper Cerificate │ │ │ │ │ │ │ Validation │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28321 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28322 │ │ │ │ more POST-after-PUT confusion │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28322 │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ libncurses6 │ CVE-2023-29491 │ MEDIUM │ 6.2-0ubuntu2 │ 6.2-0ubuntu2.1 │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ libncursesw6 │ CVE-2023-29491 │ MEDIUM │ │ │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ libtinfo6 │ CVE-2023-29491 │ MEDIUM │ │ │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ libx11-6 │ CVE-2023-3138 │ MEDIUM │ 2:1.6.9-2ubuntu1.2 │ 2:1.6.9-2ubuntu1.5 │ InitExt.c can overwrite unintended portions of the Display │ │ │ │ │ │ │ structure if the extension... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3138 │ ├────────────────┤ │ │ │ │ │ │ libx11-data │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├────────────────┼────────────────┤ ├────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ ncurses-base │ CVE-2023-29491 │ │ 6.2-0ubuntu2 │ 6.2-0ubuntu2.1 │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ ncurses-bin │ CVE-2023-29491 │ MEDIUM │ │ │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ openssh-client │ CVE-2023-38408 │ MEDIUM │ 1:8.2p1-4ubuntu0.7 │ 1:8.2p1-4ubuntu0.8 │ Remote code execution in ssh-agent PKCS#11 support │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38408 │ ├────────────────┼────────────────┤ ├────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ perl-base │ CVE-2023-31484 │ │ 5.30.0-9ubuntu0.3 │ 5.30.0-9ubuntu0.4 │ CPAN.pm before 2.35 does not verify TLS certificates when │ │ │ │ │ │ │ downloading distributions over... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31484 │ └────────────────┴────────────────┴──────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────────────┘
usr/local/bin/docker-compose (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬─────────────────────┬───────────────┬───────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼───────────────────────────────────────────┤ │ github.com/docker/distribution │ CVE-2023-2253 │ HIGH │ v2.8.1+incompatible │ 2.8.2-beta.1 │ DoS from malicious API request │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2253 │ └────────────────────────────────┴───────────────┴──────────┴─────────────────────┴───────────────┴───────────────────────────────────────────┘
usr/local/lib/docker/cli-plugins/docker-buildx (gobinary)
Total: 8 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 3, CRITICAL: 0)
┌──────────────────────────────────┬────────────────┬──────────┬───────────────────────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/containerd/containerd │ CVE-2023-25153 │ MEDIUM │ v1.6.16-0.20230124210447-1709cfe273d9 │ 1.5.18, 1.6.18 │ OCI image importer memory exhaustion │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25153 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-25173 │ │ │ │ Supplementary groups are not set up properly │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25173 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/docker/distribution │ CVE-2023-2253 │ HIGH │ v2.8.1+incompatible │ 2.8.2-beta.1 │ DoS from malicious API request │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2253 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/moby/buildkit │ CVE-2023-26054 │ MEDIUM │ v0.11.2 │ 0.11.4 │ Data disclosure in provenance attestation describing a build │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26054 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH │ v1.1.3 │ 1.1.5 │ volume mount race condition (regression of CVE-2019-19921) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28642 │ MEDIUM │ │ │ AppArmor can be bypassed when
/procinside the container │ │ │ │ │ │ │ is symlinked with... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28642 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-25809 │ LOW │ │ │ Rootless runc makes/sys/fs/cgroupwritable │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25809 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2022-41723 │ HIGH │ v0.4.0 │ 0.7.0 │ avoid quadratic complexity in HPACK decoding │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │ └──────────────────────────────────┴────────────────┴──────────┴───────────────────────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘`