search

debuerreotype / docker-debian-artifacts

Official builds of debuerreotype-generated Debian tarballs for use in Docker
https://docker.debian.net
Apache License 2.0
317 stars 104 forks source link

debian/debian-slim container image not using latest Linux kernel version(s) #145

Closed tommyreilly closed 3 years ago

tommyreilly commented 3 years ago

When scanning the latest debian-slim 11 (bullseye), we are finding a high number of Linux Kernel high/critical CVEs with CVSS v3 score > 7 being flagged.

On inspection, the scanning tool we are using is flagging anything using a Linux Kernel version earlier than v5.10.70>

Doing a "uname -r" within a shell of he debian/debian-slim images, it indicates that 5.10.47-linuxkit is the Linux Kernel version being used.

docker run -it docker.io/debian:latest /bin/bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
bb7d5a84853b: Already exists 
Digest: sha256:4d6ab716de467aad58e91b1b720f0badd7478847ec7a18f66027d0f8a329a43c
Status: Downloaded newer image for debian:latest
root@c4629442dd5c:/# uname -r
5.10.47-linuxkit
root@c4629442dd5c:/# exit

Are there any plans to update the kernel version to prevent these high/critical CVEs from being flagged?

Thanks

Tommy

tianon commented 3 years ago

Duplicate of #114

There is no kernel in these Docker images -- the kernel version you see when you run uname -r is the kernel of your host.

tommyreilly commented 3 years ago

Understood - thanks @tianon