Closed divyaArthurAI closed 2 years ago
tojaroslaw
commented
2 years ago I'd appreciate this as well! I noticed that the base image, debian:buster is clean now and it would be great to have a clean version of buildpack-deps:buster-curl and buildpack-deps:buster-scm
Thanks!
ikekilinc
commented
2 years ago +1 --- I'm also blocked on using this image for my team due to the now fixed vulnerabilities.
This would be tremendously useful for us!
tokarskyibogdan
commented
2 years ago +1
klee0589
commented
2 years ago +1
yosifkit
commented
2 years ago Background:
Tags in the [official-images] library file[s] are only built through an update to that library file [(i.e. when their build context changes)] or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
Our current plan is to rebuild the Debian base images within the next few days in order for all dependent images to get these and other fixes (especially https://security-tracker.debian.org/tracker/CVE-2022-1664).
tianon
commented
2 years ago
The docker image for buildpack-debs:buster-curl is flagging vulnerabilities CVE-2022-1292 and CVE-2022-29155.
The vulnerabilities appear to come from curl, which has already been patched in buster. Can you please rebuild the image to use the latest, patched curl?