Vulnerabilities in debian:buster-slim - CVE-2018-25032 , CVE-2022-1271 , CVE-2022-1292

[anandarca]

Hi Team, I am using the debian:buster-slim as an OS docker image & below vulnerabilities are reported by Microsoft Defender in ACR. The severity level is High. Please let me know if the below issues are fixed & available in any of the latest tags.

CVE-2018-25032 (https://lists.debian.org/debian-security-announce/2022/msg00079.html) CVE-2022-1271 (https://lists.debian.org/debian-security-announce/2022/msg00090.html) CVE-2022-1292 (https://lists.debian.org/debian-security-announce/2022/msg00107.html)

This is blocker for us due to security compliance so please advise.

Regards, Ananda

[tianon]

Yep, we're planning a rebuild shortly (within the next few days at most), especially for the recent "dpkg" update as well.

[anandarca]

thanks for update. please keep me updates once rebuild is done.

[tianon]

https://github.com/docker-library/official-images/pull/12531 :+1:

[anandarca]

Thank you . May i know the docker hub will be updated with latest version of debain:buster-slim image ? or Do you have steps to apply the above fixes to our container registry?

[tianon]

See https://github.com/docker-library/faq#an-images-source-changed-in-git-now-what for an overview of the full process/pipeline. If you need updates sooner, you'll need to build your own/rebuild your images (I'd suggest something like RUN apt-get update && apt-get install -y --no-install-recommends foo bar baz for updating packages foo, bar, and baz with security fixes).

[anandarca]

Dear Tianon, Could you please confirm if the below fixes are provided?

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

ID | Security Check | Category | Severity | Patch Available -- | -- | -- | -- | -- 179316 | Debian Security Update for dpkg (DSA 5147-1) | Debian | High | Yes 372268 | GNU Bash Privilege Escalation Vulnerability for Debian | Local | High | No 105936 | OpenSSH Command Injection Vulnerability (Generic) | Security Policy | Medium | No 650035 | OpenSSH Information Disclosure Vulnerability (Generic) | Security Policy | Medium | No

[anandarca]

the reason : i am still getting alerts from Microsoft defender after upgrading the Debian fixes. this is popping up on both container registry (images) & also on AKS cluster running pods.

[tianon]

I can confirm that the packages in debian:buster-slim are updated as much as they possibly can be from Debian:

$ docker run -it --rm --pull=always debian:buster-slim
buster-slim: Pulling from library/debian
Digest: sha256:fda76aa2ef4867e583dc8a7b86bbdb51118b8794c1b98aa4aeebaca3a1ad9c0f
Status: Image is up to date for debian:buster-slim
root@3fcbb7215cfe:/# apt-get update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7911 kB]
Get:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [328 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [8788 B]
Fetched 8486 kB in 1s (6551 kB/s)                         
Reading package lists... Done
root@3fcbb7215cfe:/# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[anandarca]

The below is docker file content to pull debain:buster-slim base image + install/upgrade additional packages if any.

-========= FROM debian:buster-slim ADD . / RUN chmod 755 /scripts/.sh && apt-get update && apt-get --no-install-recommends -y install unzip ssh net-tools && apt-get clean && rm -rf /var/lib/apt/lists/

the below 3 vulnerabilities shows in Microsoft defender. Please let me know if the above docker file content is fine and advise.

[anandarca]

additional info for above findings links to below CVE. https://security-tracker.debian.org/tracker/CVE-2019-18276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14145

[tianon]

In https://security-tracker.debian.org/tracker/CVE-2019-18276, you can see in the buster line that it's "vulnerable" (as in, unfixed in buster -- nothing we can do in the Docker image to fix that).

If you look at the bottom of the page, you'll find: Negligible security impact (which is likely why it remains unfixed, and why it will very likely remain unfixed in buster indefinitely).