Closed csMACnz closed 3 years ago
The Chief Architect of the OpenLDAP project disputes that it qualifies as a security issue https://bugs.openldap.org/show_bug.cgi?id=9370#c4
See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
It will also be rebuilt as soon as https://github.com/docker-library/official-images/pull/9106 merges. :)
Thanks, I did have a good read of that FAQ, very helpful!
If there are actionable items we can resolve, we're happy to do so
A bit of abiguity here so figured I would ask anyway, since there is something actionable. If a new release is triggering in the next few days anyway, I have no trouble waiting for it to get picked up in that. š
The rebuild for tianon did indeed pull in this update and the CVE alert is resolved at my end š
Thanks for your great communication šÆ š
Closing as resolved.
This is my first time tracing a CVE and reporting an update so bear with me.
A downstream image I am using uses the buildpack-deps:buster-scm base image. Trivy is detecting a fixable CVE-2020-25692
Expected: buildpack-deps:buster-scm has the security updated version of libldap-2.4-2 (2.4.47+dfsg-3+deb10u3)
Actual: Installed version is 2.4.47+dfsg-3+deb10u2
I've checked the image and can confirm it does have the previous version, and can update to the latest:
I verified the image has the CVE issue using Trivy:
Thanks for your time, hopefully this is the right place for triggering a rebuild with that updated dependency. If not then any advice who to notify would be appreciated.