CVE-2020-25692 vulnerability has update available

[csMACnz]

This is my first time tracing a CVE and reporting an update so bear with me.

A downstream image I am using uses the buildpack-deps:buster-scm base image. Trivy is detecting a fixable CVE-2020-25692

Expected: buildpack-deps:buster-scm has the security updated version of libldap-2.4-2 (2.4.47+dfsg-3+deb10u3)

Actual: Installed version is 2.4.47+dfsg-3+deb10u2

I've checked the image and can confirm it does have the previous version, and can update to the latest:

> docker run -it --rm amd64/buildpack-deps:buster-scm bash
root@08117b72fe48:/# apt update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [121 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [248 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7906 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7856 B]
Fetched 8401 kB in 2s (3631 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@08117b72fe48:/# apt list --upgradable
Listing... Done
libldap-2.4-2/stable 2.4.47+dfsg-3+deb10u3 amd64 [upgradable from: 2.4.47+dfsg-3+deb10u2]
libldap-common/stable 2.4.47+dfsg-3+deb10u3 all [upgradable from: 2.4.47+dfsg-3+deb10u2]
tzdata/stable-updates 2020d-0+deb10u1 all [upgradable from: 2020a-0+deb10u1]

I verified the image has the CVE issue using Trivy:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy --ignore-unfixed amd64/buildpack-deps:buster-scm

Thanks for your time, hopefully this is the right place for triggering a rebuild with that updated dependency. If not then any advice who to notify would be appreciated.

[wglambert]

The Chief Architect of the OpenLDAP project disputes that it qualifies as a security issue https://bugs.openldap.org/show_bug.cgi?id=9370#c4

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[tianon]

It will also be rebuilt as soon as https://github.com/docker-library/official-images/pull/9106 merges. :)

[csMACnz]

Thanks, I did have a good read of that FAQ, very helpful!

If there are actionable items we can resolve, we're happy to do so

A bit of abiguity here so figured I would ask anyway, since there is something actionable. If a new release is triggering in the next few days anyway, I have no trouble waiting for it to get picked up in that. 👍

[csMACnz]

The rebuild for tianon did indeed pull in this update and the CVE alert is resolved at my end 👍

Thanks for your great communication 💯 🙇

Closing as resolved.