CRITICAL Vulnerabilities CVE-2022-32207 and CVE-2021-22945 found in docker image

[mrbusche]

The docker image for buildpack-debs:bullseye-curl is flagging vulnerabilities CVE-2022-32207 and CVE-2021-22945.

The vulnerabilities appear to come from curl, which has already been patched in bullseye. Can you please rebuild the image to use the latest, patched curl?

Similar issue to https://github.com/docker-library/buildpack-deps/issues/132 which was resolved by a rebuild, debian-bullseye is not showing any CVE's that have fixes available.

Duplicate of https://github.com/docker-library/buildpack-deps/issues/133 where I incorrectly mentioned buster instead of bullseye

buildpack-deps:bullseye-curl

+----------------+----------+------+----------+--------------------+-----------------------------+-------------+------------+------------+----------------------------------------------------+-------------------+
|      CVE       | SEVERITY | CVSS | PACKAGE  |      VERSION       |           STATUS            |  PUBLISHED  | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     | TRIGGERED FAILURE |
+----------------+----------+------+----------+--------------------+-----------------------------+-------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-32207 | critical | 9.80 | curl     | 7.74.0-1.3+deb11u1 | fixed in 7.74.0-1.3+deb11u2 | 32 days     | < 1 hour   | 28         | When curl < 7.84.0 saves cookies, alt-svc and hsts | No                |
|                |          |      |          |                    | 32 days ago                 |             |            |            | data to local files, it makes the operation atomic |                   |
|                |          |      |          |                    |                             |             |            |            | by finalizing the operation with a rename from     |                   |
|                |          |      |          |                    |                             |             |            |            | a...                                               |                   |
+----------------+----------+------+----------+--------------------+-----------------------------+-------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2021-22945 | critical | 9.10 | curl     | 7.74.0-1.3+deb11u1 | fixed in 7.74.0-1.3+deb11u2 | > 10 months | < 1 hour   | -259       | When sending data to an MQTT server, libcurl <=    | Yes               |
|                |          |      |          |                    | > 10 months ago             |             |            |            | 7.73.0 and 7.78.0 could in some circumstances      |                   |
|                |          |      |          |                    |                             |             |            |            | erroneously keep a pointer to an already freed     |                   |
|                |          |      |          |                    |                             |             |            |            | memory ar...                                       |                   |
+

[yosifkit]

Debian security tracking links:

• https://security-tracker.debian.org/tracker/CVE-2022-32207
• https://security-tracker.debian.org/tracker/CVE-2021-22945

Both are fixed by version 7.74.0-1.3+deb11u2 in Debian Bullseye. As noted in https://github.com/docker-library/buildpack-deps/issues/133#issuecomment-1208396503, they are rebuilt approximately every month. I am uncertain if either of these vulnerabilities are widely applicable enough to warrant an early full rebuild of all Debian based images (esp since they were rebuilt last week because of the regular Debian update in https://github.com/docker-library/official-images/pull/12889).

[mrbusche]

Makes sense, the last image was built on 8/1. I'll make sure we have an exception in place until 9/1 and we can revisit then if the image have not been rebuilt (with probably a few grace days since you're not on a fixed build schedule)

[mrbusche]

New build this morning resolved our issue. Thanks for all your hard work on all the docker-library images.