CRITICAL Vulnerabilities CVE-2022-41903 found in docker image

[rohit267]

More details here: https://security.snyk.io/vuln/SNYK-DEBIAN10-GIT-3232719

[tianon]

Looking at https://security-tracker.debian.org/tracker/CVE-2022-41903, this was fixed in git version 1:2.30.2-1+deb11u1, which is exactly what this image contains :sweat_smile:

$ docker run --rm --pull=always buildpack-deps:bullseye dpkg -l git
bullseye: Pulling from library/buildpack-deps
Digest: sha256:40b14eb195795a586ac132c9b506253bc3e4ee7f48a63b685e5bf37e80b774cf
Status: Image is up to date for buildpack-deps:bullseye
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version            Architecture Description
+++-==============-==================-============-===================================================
ii  git            1:2.30.2-1+deb11u1 amd64        fast, scalable, distributed revision control system

[tianon]

https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves might also be interesting/useful :+1: