search

debuerreotype / docker-debian-artifacts

Official builds of debuerreotype-generated Debian tarballs for use in Docker
https://docker.debian.net
Apache License 2.0
317 stars 104 forks source link

CVE-2023-47038 of bookworm-slim #211

Closed luoxiaojun1992 closed 11 months ago

luoxiaojun1992 commented 11 months ago

Hi, do you have a plan to fix the vulnerability for bookworm-slim image?

CVE-2023-47038

yosifkit commented 11 months ago

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

luoxiaojun1992 commented 11 months ago

Gotcha. Thanks