search

docker-library / httpd

Docker Official Image packaging for Apache HTTP Server
https://httpd.apache.org
Apache License 2.0
310 stars 345 forks source link

Qualys report CVE-2021-3449 CVE-2021-3450 #181

Closed toaigit closed 3 years ago

toaigit commented 3 years ago

According to Qualys report, the openssl version is 1.1.1d. The fix is to use OpenSSL version 1.1.1k. Can it is be build with the latest OpenSSL? Thanks,

wglambert commented 3 years ago

Alpine is on 1.1-1.1.1k-r0

$ docker pull httpd:alpine
alpine: Pulling from library/httpd
540db60ca938: Pull complete 
18462ee9bd70: Pull complete 
e22b7e4a5bff: Pull complete 
b1d3cde24954: Pull complete 
094ee0a58bec: Pull complete 
Digest: sha256:91a58d4287b23dd8a251654c19b0179f225409d2bb482753f2db99ae2dcfcd2f
Status: Downloaded newer image for httpd:alpine
docker.io/library/httpd:alpine

$ docker run -it --rm httpd:alpine sh
/usr/local/apache2 # apk list | grep libssl
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
libssl1.1-1.1.1k-r0 x86_64 {openssl} (OpenSSL) [installed]

/usr/local/apache2 # apk update && apk list --upgradeable
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
v3.13.5-132-gf9eb09aed9 [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
v3.13.5-128-geafb002469 [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
OK: 13890 distinct packages available
libcurl-7.77.0-r0 x86_64 {curl} (MIT) [upgradable from: libcurl-7.76.1-r0]

1.1.1d-0+deb10u6 is the fixed version for Debian https://security-tracker.debian.org/tracker/CVE-2021-3449

$ docker pull httpd
Using default tag: latest
latest: Pulling from library/httpd
69692152171a: Pull complete 
7284b4e0cc7b: Pull complete 
3678b2d55ccd: Pull complete 
aeb67982a725: Pull complete 
06954f8169fd: Pull complete 
Digest: sha256:48bae0ac5d0d75168f1c1282c0eb21b43302cb1b5c5dc9fa3b4a758ccfb36fe9
Status: Downloaded newer image for httpd:latest
docker.io/library/httpd:latest

$ docker run -it --rm httpd bash
root@176864a80fd3:/usr/local/apache2# apt list | grep ssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libssl1.1/now 1.1.1d-0+deb10u6 amd64 [installed,local]

root@176864a80fd3:/usr/local/apache2# apt update && apt list --upgradeable
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:5 http://deb.debian.org/debian buster-updates/main amd64 Packages [10.9 kB]
Get:6 http://security.debian.org/debian-security buster/updates/main amd64 Packages [290 kB]
Fetched 8447 kB in 2s (3433 kB/s)                        
Reading package lists... Done
Building dependency tree       
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
Listing... Done
liblz4-1/stable 1.8.3-1+deb10u1 amd64 [upgradable from: 1.8.3-1]
N: There is 1 additional version. Please use the '-a' switch to see it
phy25 commented 3 years ago

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves