yosifkit
commented
1 year ago There is no fix available for most of these from the Debian packages as seen on the security tracker and even many are not treated as a security vulnerability (as seen in their notes):
- https://security-tracker.debian.org/tracker/CVE-2017-11164
- https://security-tracker.debian.org/tracker/CVE-2017-7245
- https://security-tracker.debian.org/tracker/CVE-2017-7246
- https://security-tracker.debian.org/tracker/CVE-2018-20796
- https://security-tracker.debian.org/tracker/CVE-2018-5709
- https://security-tracker.debian.org/tracker/CVE-2018-6829
- https://security-tracker.debian.org/tracker/CVE-2019-1010022
- https://security-tracker.debian.org/tracker/CVE-2019-1010023
- https://security-tracker.debian.org/tracker/CVE-2019-19882
- https://security-tracker.debian.org/tracker/CVE-2019-20838
- https://security-tracker.debian.org/tracker/CVE-2019-8457
- https://security-tracker.debian.org/tracker/CVE-2019-9192
- https://security-tracker.debian.org/tracker/CVE-2020-16156
- https://security-tracker.debian.org/tracker/CVE-2021-33560
Some will be fixed by just pulling the image, since it is now based on Debain Bookworm (https://github.com/docker-library/memcached/pull/88). But any still found by security tools will likely* not be fixed.
As a comparison, on even just the first one, it also appears unfixed in Ubuntu: https://ubuntu.com/security/CVE-2017-11164.
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
To ensure that we don't push contentless image changes, we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
* There is the remote possibility that someone creates updated packages, convinces the relevant Debian teams and package maintainers to accept them, and finally publishes the fixes into Debian Bookworm.
Hi, Below CVEs are reported in the latest 1.6.20 image. These are reported as non-fixable can you please let us know if there is any fix available for these if not we will mark these as the not fixable or false positive till the time we have fix for these.
CVE-2017-11164 CVE-2017-7245 CVE-2017-7246 CVE-2018-20796 CVE-2018-5709 CVE-2018-6829 CVE-2019-1010022 CVE-2019-1010023 CVE-2019-19882 CVE-2019-20838 CVE-2019-8457 CVE-2019-9192 CVE-2020-16156 CVE-2021-33560