CRITICAL Vulnerabilities CVE-2022-32207 and CVE-2022-22945 found in docker image

[mrbusche]

The docker image for buildpack-debs:buster-curl is flagging vulnerabilities CVE-2022-32207 and CVE-2022-22945.

The vulnerabilities appear to come from curl, which has already been patched in buster. Can you please rebuild the image to use the latest, patched curl?

Similar issue to https://github.com/docker-library/buildpack-deps/issues/132 which was resolved by a rebuild, debian-buster is not showing any CVE's that have fixes available.

[wglambert]

Debian images are rebuilt on a monthly cadence, so it'll get updated and pushed to Dockerhub soon

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[yosifkit]

It seems to already be completely up-to-date:

$ docker run -it --rm buildpack-deps:buster-curl
Unable to find image 'buildpack-deps:buster-curl' locally
buster-curl: Pulling from library/buildpack-deps
7e6a53d1988f: Pull complete 
4fe4e1c58b4a: Pull complete 
cc915d298757: Pull complete 
Digest: sha256:a4ce81d1e76a54c634fb40b86a9477788b05a56df351a18f7f60be783b5b22cb
Status: Downloaded newer image for buildpack-deps:buster-curl
root@d4d95405bee4:/# apt update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://deb.debian.org/debian-security buster/updates InRelease [34.8 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [56.6 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7911 kB]
Get:5 http://deb.debian.org/debian-security buster/updates/main amd64 Packages [338 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [8788 B]
Fetched 8470 kB in 1s (5779 kB/s)                        
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
root@d4d95405bee4:/# dpkg -l | grep curl
ii  curl                      7.64.0-4+deb10u2            amd64        command line tool for transferring data with URL syntax
ii  libcurl4:amd64            7.64.0-4+deb10u2            amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)

And neither of the listed CVE's are applicable to Debian Buster:

• https://security-tracker.debian.org/tracker/CVE-2022-32207: [buster] - curl <not-affected> (Vulnerable code introduced later)
• https://security-tracker.debian.org/tracker/CVE-2022-22945: NOT-FOR-US: VMware

[mrbusche]

Ugh, sorry guys, I wrote buster when I meant bullseye. The bullseye image is the vulnerable one. I opened a new issue https://github.com/docker-library/buildpack-deps/issues/134