Latest 1.6.21 Image has CVE's reported

[infa-kvelladurai]

Hi, Below CVEs are reported in the latest 1.6.21 image. These are reported as non-fixable can you please let us know if there is any fix available for these if not we will mark these as not fixable or false positive until we have a fix for these.

CVE-2019-9192 CVE-2019-19882 CVE-2019-1010023 CVE-2019-1010022 CVE-2018-6829 CVE-2018-5709 CVE-2018-20796 CVE-2011-4116

[infa-kvelladurai]

Hi Team , Please review this issue.

[infa-kvelladurai]

Hi Team,

Do you have any update on this vuln to fix in the next release?

[yosifkit]

Most of these are false positives (not vulnerable to the CVE or the CVE is not valid) and so will not have any updates for these CVEs. Others, like 2011-4116 are low security and have never even had a fix in the upstream project. If the scanner reports that fixes aren't available, then that means there is nothing we can do about them; we can't update Debian-provided packages without a fix existing in Debian.

• https://security-tracker.debian.org/tracker/CVE-2019-9192: DISPUTED
• https://security-tracker.debian.org/tracker/CVE-2019-19882: Debian builds are compiled using -with-libpam and explicitly passing --disable-account-tools-setuid
• https://security-tracker.debian.org/tracker/CVE-2019-1010023: DISPUTED
• https://security-tracker.debian.org/tracker/CVE-2019-1010022: DISPUTED
• https://security-tracker.debian.org/tracker/CVE-2018-6829: This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner
• https://security-tracker.debian.org/tracker/CVE-2018-5709: non-issue, codepath is only run on trusted input, potential integer overflow is non-issue
• https://security-tracker.debian.org/tracker/CVE-2018-20796: No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions
• https://security-tracker.debian.org/tracker/CVE-2011-4116:

  http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177
  https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link