search

docker-library / buildpack-deps

MIT License
445 stars 113 forks source link

DSA-3232-1 curl -- security update #24

Closed kuba closed 8 years ago

kuba commented 9 years ago

https://lists.debian.org/debian-security-announce/2015/msg00120.html

Most recent Debian images are vulnerable. This should probably be built together with #23.

kuba commented 9 years ago

It seems that images were rebuilt just recently:

buildpack-deps      jessie-scm          05bacbdfa6eb        8 hours ago         291.8 MB
buildpack-deps      scm                 05bacbdfa6eb        8 hours ago         291.8 MB
buildpack-deps      curl                e66a33f451f4        8 hours ago         169.5 MB
buildpack-deps      jessie-curl         e66a33f451f4        8 hours ago         169.5 MB
debian              8.0                 41b730702607        15 hours ago        125.1 MB
debian              jessie              41b730702607        15 hours ago        125.1 MB
debian              latest              41b730702607        15 hours ago        125.1 MB
debian              8                   41b730702607        15 hours ago        125.1 MB
buildpack-deps      latest              b4f26f1941bc        8 days ago          677.5 MB
buildpack-deps      jessie              b4f26f1941bc        8 days ago          677.5 MB
<none>              <none>              938e3817ad84        4 weeks ago         289.5 MB
scratch             latest              511136ea3c5a        22 months ago       0 B

and they are not longer vulnerable, either to above or more recent DSS-3240-1 curl security update (https://lists.debian.org/debian-security-announce/2015/msg00128.html)

Is there anywhere a build log that lists all versions installed by apt-get? Is there anywhere a history of those images (i.e. previous image id tags?).

yosifkit commented 9 years ago

Sorry, no history of old image IDs. But that seems like it could be useful to have.

tianon commented 8 years ago

This particular issue is definitely long-since solved. :+1:

Regarding history of images (IDs, etc), we do have https://github.com/docker-library/repo-info/blob/6c0b758a05c294a6682b83895b6da78712acf24e/repos/buildpack-deps/tag-details.md now, and walking backwards through the Git history of that file should provide some amount of useful historical data about both image IDs and even more usefullly content digests (which can be used to pull those older image contents). :+1: