Closed mrbusche closed 2 years ago
Yeah, the last build was about a week ago, and this says it was fixed 24 days ago? Something isn't right there.
Looking at https://tracker.debian.org/pkg/zlib, it's clear this was only fixed in Bullseye three days after our update (on the 26th :sweat_smile:), but it's also interesting that the NIST page says it's being reevaluated?
Yeah, the last build was about a week ago, and this says it was fixed 24 days ago? Something isn't right there.
Looking at https://tracker.debian.org/pkg/zlib, it's clear this was only fixed in Bullseye three days after our update (on the 26th 😅), but it's also interesting that the NIST page says it's being reevaluated?
Sorry, the tool we use is confused, they are using CVE publish date as fix date for the package. The actual code fix was only published 3 days ago, which was after the last release.
Two additional CVE's popped up here. CVE-2022-1586 and CVE-2022-1587 The nist database says they're being evaluated but they're both marked as critical as of today.
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED |
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE-2022-37434 | critical | 9.80 | zlib | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 36 days |
| | | | | | | |
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE-2022-1587 | critical | 9.10 | pcre2 | 10.36-2 | fixed in 10.36-2+deb11u1 | > 3 months |
| | | | | | | |
+----------------+----------+------+------------+-------------------------+----------------------------------+------------+
| CVE-2022-1586 | critical | 9.10 | pcre2 | 10.36-2 | fixed in 10.36-2+deb11u1 | > 3 months |
| | | | | | | |
Will be fixed via https://github.com/docker-library/official-images/pull/13132
The docker image for buildpack-deps:bullseye-curl is flagging a critical CVE, CVE-2022-37434
A rebuild should resolve the issue. The last build was on 8/23 and I know you try to publish ~monthly. Wanted to get something out here for others experiencing the same.
buildpack-deps:bullseye-curl