yosifkit
commented
1 year ago Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
-
https://security-tracker.debian.org/tracker/CVE-2007-5686
on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures
- conculsion: does not apply; false positive
-
https://security-tracker.debian.org/tracker/CVE-2007-6755
Unused/broken in OpenSSL, see http://marc.info/?l=openssl-announce&m=138747119822324&w=2
- conclusion: does not apply; false positve
-
https://security-tracker.debian.org/tracker/CVE-2010-0928
somewhat impractical right now, but the openssl developers are working on a fix just in case
- conclusion: does not really apply to most users since it requires a physically proximate attacker changing the microprocessor voltage
-
https://security-tracker.debian.org/tracker/CVE-2010-4756
That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves
- conclusion: working as designed; false vulnerability
-
https://security-tracker.debian.org/tracker/CVE-2011-3389
No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
- conclusion: old CVE for an old protocol; SSL has been deprecated since 2015
-
https://security-tracker.debian.org/tracker/CVE-2022-0563
util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh
- conclusion: deemed unimportant by the Debian Security Team
-
https://security-tracker.debian.org/tracker/CVE-2020-13529
Generic DHCP protocol issue, negligible security impact
- conclusion: deemed unimportant by the Debian Security Team
-
https://security-tracker.debian.org/tracker/CVE-2019-1010025
Not treated as a security issue by upstream
- conclusion: Disputed CVE
-
https://security-tracker.debian.org/tracker/CVE-2019-1010024
Not treated as a security issue by upstream
- conclusion: Disputed CVE
-
https://security-tracker.debian.org/tracker/CVE-2017-18018
Neutralised by kernel hardening
- conclusion: no longer applies? (and shouldn't really matter in a container anyway)
-
https://security-tracker.debian.org/tracker/CVE-2013-4235
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
- conclusion: doesn't seem that applicable to containers (related to
userdel)
- conclusion: doesn't seem that applicable to containers (related to
-
https://security-tracker.debian.org/tracker/CVE-2016-2781
chroot in GNU coreutils ... which pushes characters to the terminal's input buffer
coreutils \<ignored> (Minor issue)
- conclusion: unlikely to use
chrootinmemcachedand extremely unlikely to do so with an attached tty
- conclusion: unlikely to use
-
https://security-tracker.debian.org/tracker/CVE-2017-16231
unimportant
- conclusion: Disputed CVE
Hi, Below CVEs are reported in the latest 1.6.17 image. These needs to be taken care as part of governance as memcache is being used across our k8s containers CVE-2007-5686 CVE-2007-6755 CVE-2010-0928 CVE-2010-4756 CVE-2011-3389 CVE-2022-0563 CVE-2020-13529 CVE-2019-1010025 CVE-2019-1010024 CVE-2017-18018 CVE-2013-4235 CVE-2016-2781 CVE-2017-16231