search

docker-library / httpd

Docker Official Image packaging for Apache HTTP Server
https://httpd.apache.org
Apache License 2.0
310 stars 345 forks source link

Various Vulnerabilities in expat@2.4.1-r0 #212

Closed faridnsh closed 2 years ago

faridnsh commented 2 years ago

Hi, Snyk and possibly other scanners report the following in the latest:

✗ Critical severity vulnerability found in expat/expat
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE315-EXPAT-2393733
  Introduced through: expat/expat@2.4.1-r0, apr-util/apr-util@1.6.1-r11
  From: expat/expat@2.4.1-r0
  From: apr-util/apr-util@1.6.1-r11 > expat/expat@2.4.1-r0
  Fixed in: 2.4.4-r0

Lucky for us Alpine has already fixed this: https://git.alpinelinux.org/aports/commit/?id=be41ce63e47acb86474b88f069c75335f69f009a

and I can already see building it again will install the fixed expat@2.4.4-r0 in Github actions: https://github.com/docker-library/httpd/runs/5080563783?check_suite_focus=true

Can the maintainers please push a new build?

yosifkit commented 2 years ago

Same comment as, https://github.com/docker-library/python/issues/699#issuecomment-1040583314. Once the base image updates, these images will be rebuilt as well.

MaxPeal commented 2 years ago

the base image got update https://github.com/docker-library/python/issues/699#issuecomment-1055964957

tianon commented 2 years ago

https://github.com/docker-library/official-images/pull/12055 :+1: