search

docker-library / buildpack-deps

MIT License
445 stars 113 forks source link

Critical Vulnerability CVE-2022-37434 found in bullseye-curl #135

Closed mrbusche closed 2 years ago

mrbusche commented 2 years ago

The docker image for buildpack-deps:bullseye-curl is flagging a critical CVE, CVE-2022-37434

A rebuild should resolve the issue. The last build was on 8/23 and I know you try to publish ~monthly. Wanted to get something out here for others experiencing the same.

buildpack-deps:bullseye-curl

+----------------+----------+------+---------+-------------------------+----------------------------------+------------+
|      CVE       | SEVERITY | CVSS | PACKAGE |         VERSION         |              STATUS              | PUBLISHED  |
+----------------+----------+------+---------+-------------------------+----------------------------------+------------+
| CVE-2022-37434 | critical | 9.80 | zlib    | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 24 days    |
|                |          |      |         |                         | 24 days ago                      |            |
|                |          |      |         |                         |                                  |            |
|                |          |      |         |                         |                                  |            |
tianon commented 2 years ago

Yeah, the last build was about a week ago, and this says it was fixed 24 days ago? Something isn't right there.

Looking at https://tracker.debian.org/pkg/zlib, it's clear this was only fixed in Bullseye three days after our update (on the 26th :sweat_smile:), but it's also interesting that the NIST page says it's being reevaluated?

mrbusche commented 2 years ago

Yeah, the last build was about a week ago, and this says it was fixed 24 days ago? Something isn't right there.

Looking at https://tracker.debian.org/pkg/zlib, it's clear this was only fixed in Bullseye three days after our update (on the 26th 😅), but it's also interesting that the NIST page says it's being reevaluated?

Sorry, the tool we use is confused, they are using CVE publish date as fix date for the package. The actual code fix was only published 3 days ago, which was after the last release.

mrbusche commented 2 years ago

Two additional CVE's popped up here. CVE-2022-1586 and CVE-2022-1587 The nist database says they're being evaluated but they're both marked as critical as of today.

+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
|      CVE       | SEVERITY | CVSS |  PACKAGE   |         VERSION         |              STATUS              | PUBLISHED  |
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE-2022-37434 | critical | 9.80 | zlib       | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 36 days    |
|                |          |      |            |                         |                                  |            |
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE-2022-1587  | critical | 9.10 | pcre2      | 10.36-2                 | fixed in 10.36-2+deb11u1         | > 3 months |
|                |          |      |            |                         |                                  |            |
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE-2022-1586  | critical | 9.10 | pcre2      | 10.36-2                 | fixed in 10.36-2+deb11u1         | > 3 months |
|                |          |      |            |                         |                                  |            |
tianon commented 2 years ago

Will be fixed via https://github.com/docker-library/official-images/pull/13132