search

docker-library / docker

Docker Official Image packaging for Docker
Apache License 2.0
1.14k stars 582 forks source link

Security fix for `docker:20.10-dind` #415

Closed leomao10 closed 1 year ago

leomao10 commented 1 year ago

Hi there,

We are currently using docker:20.10.23-dind in our product at the moment.

While we got notify from snyk container saying this image contain vulnerability with following dependency paths:

Vulnerable Dependency Paths: e2fsprogs/e2fsprogs-libs@1.46.5-r0
e2fsprogs/e2fsprogs@1.46.5-r0 -> e2fsprogs/e2fsprogs-libs@1.46.5-r0
e2fsprogs/e2fsprogs-extra@1.46.5-r0 -> e2fsprogs/e2fsprogs-libs@1.46.5-r0
e2fsprogs/libcom_err@1.46.5-r0
e2fsprogs/e2fsprogs-libs@1.46.5-r0 -> e2fsprogs/libcom_err@1.46.5-r0
e2fsprogs/e2fsprogs@1.46.5-r0 -> e2fsprogs/libcom_err@1.46.5-r0
e2fsprogs/e2fsprogs-extra@1.46.5-r0 -> e2fsprogs/libcom_err@1.46.5-r0
krb5-conf/krb5-conf@1.0-r2 -> krb5/krb5-libs@1.19.3-r0 -> e2fsprogs/libcom_err@1.46.5-r0
e2fsprogs/e2fsprogs@1.46.5-r0
e2fsprogs/e2fsprogs-extra@1.46.5-r0 -> e2fsprogs/e2fsprogs@1.46.5-r0
e2fsprogs/e2fsprogs-extra@1.46.5-r0

And we notice docker:23.0.0-dind still contain the vulns, but docker:23.0.1-dind already got it fixed. Having said that, I believe upgrade from 20.10.23 to 23.0.0 is a major version upgrade and it contain breaking changes by reading the release note. And the effort for us to upgrade it to 23.0.0 would be quite big and we want some of the known issues get resolved before we migrated to 23.0.

So I was wondering if it is possible for docker team to backport the fix for vulns to docker:20.10 so it got the security patches for those of us that can't upgrade to latset docker version yet?

Thanks in advance and looking forward for you reply.

Leo Liang

tianon commented 1 year ago

I think either your image is outdated or your vulnerability scanner is misfiring:

$ docker run -it --rm --pull=always docker:20.10-dind sh
20.10-dind: Pulling from library/docker
Digest: sha256:545bbd72f29603a648b034cbd089c501d67ba20974938151f68be48536e93694
Status: Image is up to date for docker:20.10-dind
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
v3.17.2-237-gdc3ac407b9a [https://dl-cdn.alpinelinux.org/alpine/v3.17/main]
v3.17.2-234-g16d676e6f32 [https://dl-cdn.alpinelinux.org/alpine/v3.17/community]
OK: 17817 distinct packages available
/ # apk list --upgradeable
/ #
leomao10 commented 1 year ago

Ah, sorry, that is our fault, didn't aware that the image get updated after the release. Tested it and the vuln is fixed. Thanks for you help. I will close the ticket now.