Closed mrbusche closed 2 years ago
Debian images are rebuilt on a monthly cadence, so it'll get updated and pushed to Dockerhub soon
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:buster
would be rebuilt whendebian:buster
is built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
It seems to already be completely up-to-date:
$ docker run -it --rm buildpack-deps:buster-curl
Unable to find image 'buildpack-deps:buster-curl' locally
buster-curl: Pulling from library/buildpack-deps
7e6a53d1988f: Pull complete
4fe4e1c58b4a: Pull complete
cc915d298757: Pull complete
Digest: sha256:a4ce81d1e76a54c634fb40b86a9477788b05a56df351a18f7f60be783b5b22cb
Status: Downloaded newer image for buildpack-deps:buster-curl
root@d4d95405bee4:/# apt update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://deb.debian.org/debian-security buster/updates InRelease [34.8 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [56.6 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7911 kB]
Get:5 http://deb.debian.org/debian-security buster/updates/main amd64 Packages [338 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [8788 B]
Fetched 8470 kB in 1s (5779 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
root@d4d95405bee4:/# dpkg -l | grep curl
ii curl 7.64.0-4+deb10u2 amd64 command line tool for transferring data with URL syntax
ii libcurl4:amd64 7.64.0-4+deb10u2 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)
And neither of the listed CVE's are applicable to Debian Buster:
[buster] - curl <not-affected> (Vulnerable code introduced later)
NOT-FOR-US: VMware
Ugh, sorry guys, I wrote buster when I meant bullseye. The bullseye image is the vulnerable one. I opened a new issue https://github.com/docker-library/buildpack-deps/issues/134
The docker image for buildpack-debs:buster-curl is flagging vulnerabilities CVE-2022-32207 and CVE-2022-22945.
The vulnerabilities appear to come from curl, which has already been patched in buster. Can you please rebuild the image to use the latest, patched curl?
Similar issue to https://github.com/docker-library/buildpack-deps/issues/132 which was resolved by a rebuild,
debian-buster
is not showing any CVE's that have fixes available.