Closed missingdays closed 4 years ago
See https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185. And https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
https://security-tracker.debian.org/tracker/CVE-2017-18018 Unfixed, Neutralised by kernel hardening
https://security-tracker.debian.org/tracker/CVE-2017-12814 fixed, windows specific issue
https://security-tracker.debian.org/tracker/CVE-2017-12837 fixed 5.24.1-3+deb9u5
https://security-tracker.debian.org/tracker/CVE-2017-12883 fixed, windows specific issue
https://security-tracker.debian.org/tracker/CVE-2018-6797 vulnerable in jessie, which we don't have a variant of (Regular security support updates have been discontinued as of June 17th, 2018.) https://security-tracker.debian.org/tracker/CVE-2018-6798 fixed 5.24.1-3+deb9u5
https://security-tracker.debian.org/tracker/CVE-2018-6913 fixed 5.24.1-3+deb9u5
https://security-tracker.debian.org/tracker/CVE-2018-12015 fixed 5.24.1-3+deb9u5
https://security-tracker.debian.org/tracker/CVE-2018-18311 vulnerable in jessie, which we don't have a variant of
https://security-tracker.debian.org/tracker/CVE-2018-18312 fixed 5.24.1-3+deb9u5
https://security-tracker.debian.org/tracker/CVE-2018-18313 fixed 5.24.1-3+deb9u5
https://security-tracker.debian.org/tracker/CVE-2013-7338 fixed 2.7.13-2+deb9u3
https://security-tracker.debian.org/tracker/CVE-2015-5652 NOT-FOR-US: Python on Windows
https://security-tracker.debian.org/tracker/CVE-2016-1494 (python-rsa) fixed 3.4.2-1
https://security-tracker.debian.org/tracker/CVE-2017-17522
a software maintainer indicates that exploitation is impossible because the code relies on subprocess
https://security-tracker.debian.org/tracker/CVE-2017-18207
the vendor disputes this issue Nonsense report for Python
https://security-tracker.debian.org/tracker/CVE-2018-1000030 vulnerable, there's nothing actionable for us to do
The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code No practical security impact, why DWF assigned a CVE ID is hard to tell
https://security-tracker.debian.org/tracker/CVE-2019-9636 vulnerable, there's nothing actionable for us to do
Improper Handling of Unicode Encoding A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host
https://security-tracker.debian.org/tracker/CVE-2019-9740 vulnerable, there's nothing actionable for us to do
(Minor issue) CRLF injection is possible if the attacker controls a url parameter
https://security-tracker.debian.org/tracker/CVE-2019-9947 vulnerable, there's nothing actionable for us to do
(Minor issue) CRLF injection is possible if the attacker controls a url parameter
https://security-tracker.debian.org/tracker/CVE-2019-9948 vulnerable, there's nothing actionable for us to do
(Minor issue) urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file
https://security-tracker.debian.org/tracker/CVE-2017-17512 fixed, 0.0.9+deb9u1
https://security-tracker.debian.org/tracker/CVE-2018-20482 vulnerable, there's nothing actionable for us to do
(Minor issue) when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service
https://security-tracker.debian.org/tracker/CVE-2019-9923 vulnerable, there's nothing actionable for us to do
Crash in CLI tool, no security impact pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
I don't see anything actionable for us
Thank you for your thorough answer!
I see that in case of perl@5.24.1-3+deb9u5
and sensible-utils@0.0.9+deb9u1
fixes were backported, but the tool parses this versions as 5.24.1
and 0.0.9
and considers them vulnerable
In case of tar, is there a way you could upgrade it to version 1.30+dfsg-6
to fix CVE-2018-20482
? I understand that this version is not in stretch
release, but there are ways to install specific packages from newer versions
No, we aren't going to backport versions of packages just to satisfy a CVE scanner tool -- the tool should be updated to be aware of Debian's version numbering and incorporate the (freely available) Debian security database to determine whether a given CVE is actually actionable.
We found several vulnerabilities in Cassandra images 3.0 and 3.11
They are mostly coming from debian base image
Is there a way you could either upgrade them to newer versions or remove this packages when building Docker image?
The full list of found vulnerabilities:
In package coreutils@8.26-3:
In package perl@5.24.1-3+deb9u5
In package python@2.7.13-2
In package sensible-utils@0.0.9+deb9u1
In package tar@1.29b-1.1