greglanthier commented 6 years ago

TL;DR

It would appear that the buildpack-deps:stretch-curl base image contains a version of curl (7.52.1-5+deb9u7) that has a few vulnerabilities (CVE-2018-16839). More discussion on this vulnerability is available here.

This base image is used by a number of other images (including openjdk:8-jdk) that we rely on at work.

A patched version of curl (7.52.1-5+deb9u8) appears to be available. Would it be possible to rebuild the buildpack-deps:stretch-curl image so this update could be picked up?

Steps to reproduce

$ docker run --rm -it buildpack-deps:stretch-curl sh -c "dpkg -s curl | grep '^Version'"
Version: 7.52.1-5+deb9u7
$

More involved steps to reproduce

Use `skopeo` to figure out the most recent sha256 hash for the image:

$ skopeo -override-os linux inspect docker://buildpack-deps:stretch-curl | jq '.Digest'
"sha256:dd5963b4735c6702455e790b301ce267d744336444088e4a827bae6fd11b5d01"
$

Using that hash figure out what version of curl is installed.

$ docker run --rm -it buildpack-deps:stretch-curl@sha256:dd5963b4735c6702455e790b301ce267d744336444088e4a827bae6fd11b5d01 sh -c "dpkg -s curl | grep '^Version'"
Version: 7.52.1-5+deb9u7
$

Do an `apt-get update && apt-get install -y curl` to prove a new version is available

$ docker run --rm -it buildpack-deps:stretch-curl@sha256:dd5963b4735c6702455e790b301ce267d744336444088e4a827bae6fd11b5d01 sh -c "apt-get update && apt-get install -y --no-install-recommends curl && dpkg -s curl | grep '^Version'"
[...]
Setting up curl (7.52.1-5+deb9u8) ...
Version: 7.52.1-5+deb9u8
$

tianon commented 6 years ago

There's a new release of Debian coming this weekend that will result in a rebuild of this image. :+1:

greglanthier commented 6 years ago

It looks like the upstream image changes did the trick.

$ skopeo -override-os linux inspect docker://buildpack-deps:stretch-curl | jq '.Digest'
"sha256:6d12f115a349d7675be5b31f5307779bb856f6cf46cc1f580f9b480dadc42a0b"
$ docker run --rm -it buildpack-deps:stretch-curl@sha256:6d12f115a349d7675be5b31f5307779bb856f6cf46cc1f580f9b480dadc42a0b sh -c "dpkg -s curl | grep '^Version'"
Version: 7.52.1-5+deb9u8
$

Thanks @tianon. I'll close this issue.

docker-library / buildpack-deps

Upgrade to curl 7.52.1-5+deb9u8 or later to address curl vulnerabilities CVE-2018-16839 #85

TL;DR

Steps to reproduce

More involved steps to reproduce

Use `skopeo` to figure out the most recent sha256 hash for the image:

Using that hash figure out what version of curl is installed.

Do an `apt-get update && apt-get install -y curl` to prove a new version is available

docker-library / buildpack-deps

Upgrade to curl 7.52.1-5+deb9u8 or later to address curl vulnerabilities CVE-2018-16839 #85

TL;DR

Steps to reproduce

More involved steps to reproduce

Use skopeo to figure out the most recent sha256 hash for the image:

Using that hash figure out what version of curl is installed.

Do an apt-get update && apt-get install -y curl to prove a new version is available

Use `skopeo` to figure out the most recent sha256 hash for the image:

Do an `apt-get update && apt-get install -y curl` to prove a new version is available