wglambert
commented
4 years ago https://security-tracker.debian.org/tracker/CVE-2020-8492 Buster is unfixed so there's nothing actionable for us to do, upstream also considers it a minor issue
$ docker run -it --rm buildpack-deps:buster bash
root@3038e1bdae54:/# apt update
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [208 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7905 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8360 kB in 4s (2262 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
14 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@3038e1bdae54:/# apt list --upgradable
Listing... Done
imagemagick-6-common/stable 8:6.9.10.23+dfsg-2.1+deb10u1 all [upgradable from: 8:6.9.10.23+dfsg-2.1]
imagemagick-6.q16/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
imagemagick/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickcore-6-arch-config/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickcore-6-headers/stable 8:6.9.10.23+dfsg-2.1+deb10u1 all [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickcore-6.q16-6-extra/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickcore-6.q16-6/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickcore-6.q16-dev/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickcore-dev/stable 8:6.9.10.23+dfsg-2.1+deb10u1 all [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickwand-6-headers/stable 8:6.9.10.23+dfsg-2.1+deb10u1 all [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickwand-6.q16-6/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickwand-6.q16-dev/stable 8:6.9.10.23+dfsg-2.1+deb10u1 amd64 [upgradable from: 8:6.9.10.23+dfsg-2.1]
libmagickwand-dev/stable 8:6.9.10.23+dfsg-2.1+deb10u1 all [upgradable from: 8:6.9.10.23+dfsg-2.1]
linux-libc-dev/stable 4.19.118-2+deb10u1 amd64 [upgradable from: 4.19.118-2]See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
I attempted to bring the Elixir 10.3 image into our internal repo. Our mechanism does a scan for vulnerabilities and my request was rejected because of the version of Python 3 that appears to originate from the buildpack-deps:buster image. The CVE that caused the rejection was CVE-2020-8492 with the description:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.. Impacted Image File(s): /usr/lib/python3.7/urllib/request.py
I note the image includes Python 3.7.3