Closed easco closed 4 years ago
https://security-tracker.debian.org/tracker/CVE-2020-8492 Buster is unfixed so there's nothing actionable for us to do, upstream also considers it a minor issue
$ docker run -it --rm buildpack-deps:buster-scm bash
root@9d2bd1850a11:/# apt update
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7905 kB]
Get:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [208 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8360 kB in 3s (3054 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
I attempted to bring the Elixir 10.3 image into our internal repo. Our mechanism does a scan for vulnerabilities and my request was rejected because of the version of Python 2 that appears to originate from the buildpack-deps:buster-scm image. The CVE that caused the rejection was CVE-2020-8492 with the description:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.. Impacted Image File(s): /usr/lib/python3.7/urllib/request.py
I note the image includes Python 2.7.16