search

docker-library / buildpack-deps

MIT License
445 stars 113 forks source link

The versions of Python 2 in the build pack-deps:buster-scm include a vulnerability (CVE-2020-8492) #109

Closed easco closed 4 years ago

easco commented 4 years ago

I attempted to bring the Elixir 10.3 image into our internal repo. Our mechanism does a scan for vulnerabilities and my request was rejected because of the version of Python 2 that appears to originate from the buildpack-deps:buster-scm image. The CVE that caused the rejection was CVE-2020-8492 with the description:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.. Impacted Image File(s): /usr/lib/python3.7/urllib/request.py

I note the image includes Python 2.7.16

wglambert commented 4 years ago

https://security-tracker.debian.org/tracker/CVE-2020-8492 Buster is unfixed so there's nothing actionable for us to do, upstream also considers it a minor issue

$ docker run -it --rm buildpack-deps:buster-scm bash

root@9d2bd1850a11:/# apt update       
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7905 kB]
Get:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [208 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8360 kB in 3s (3054 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).