CVE-2024-0553 - gnutls28 Security Vulnerability found building with Jammy-Curl

[bwayway]

Hello,

We are currently getting a high severity security warning (CVE-2024-0553 - gnutls28) from AWS Inspector when building a docker image with the jammy-curl dockerfile. We noticed the file hasn't been rebuilt in over a year. Would this cause any issues with the version of ubuntu and it's dependencies being out of date? If so, what would be the recommended course of action?

Thanks, Brendan

[whalelines]

buildpack-deps:jammy-curl was last updated 13 days ago, https://hub.docker.com/_/buildpack-deps/tags?page=&page_size=&ordering=&name=jammy-curl . Rebuilds are triggered for reasons other than the Dockerfile being updated. Perhaps you have an old version locally?

[bwayway]

Ok. Maybe I could be misunderstanding. We are currently seeing versions 3.7.1-5 have the vulnerability. Based on the packages in the docker hub link provided, the package gnutls28 is running on 3.7.3-4. According to Debian security tracker the issue should be resolved in version 3.7.9-2

[tianon]

Another way to come to the same conclusion:

$ docker run -it --rm --pull=always buildpack-deps:jammy-curl
jammy-curl: Pulling from library/buildpack-deps
Digest: sha256:7779a591a40bfc86721dcbc2469adc533308056e5c6e7d674b89a04af56878f6
Status: Image is up to date for buildpack-deps:jammy-curl
root@bde6ec4edbec:/# apt update -qq
All packages are up to date.
root@bde6ec4edbec:/# apt list --upgradeable
Listing... Done

(In other words, all packages inside buildpack-deps:jammy-curl are as up-to-date as they can possibly be and a rebuild won't change anything here :heart:)

For Ubuntu packages, you'll want the Ubuntu security tracker instead, which is linked from the header in Debian's: https://ubuntu.com/security/CVE-2024-0553 (fixed in 3.7.3-4ubuntu1.4, in jammy)

https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves might also be helpful.