vulnerabilities in openjdk 8jdk

[gilbert-sam-tm]

Associated with python version 2.7.16 CVE-2019-9636 CVE-2019-9948

[wglambert]

Try re-pulling the image, the latest python version is at 2.7.16-2+deb10u1 which has the fixes for those vulnerabilities https://security-tracker.debian.org/tracker/CVE-2019-9636 https://security-tracker.debian.org/tracker/CVE-2019-9948

 docker run -it --rm openjdk:8-jdk
Unable to find image 'openjdk:8-jdk' locally
8-jdk: Pulling from library/openjdk
d960726af2be: Pull complete 
e8d62473a22d: Pull complete 
8962bc0fad55: Pull complete 
65d943ee54c1: Pull complete 
da20b77f10ac: Pull complete 
fb6a778e6477: Pull complete 
ae7884f0e61b: Pull complete 
Digest: sha256:1911133c41c4858a1c1c9607d086e58d9cfea40fb20b0b8a987cca1c0155846e
Status: Downloaded newer image for openjdk:8-jdk

root@8bdbc7b42721:/# apt list  | grep python

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libpython-stdlib/now 2.7.16-1 amd64 [installed,local]
libpython2-stdlib/now 2.7.16-1 amd64 [installed,local]
libpython2.7-minimal/now 2.7.16-2+deb10u1 amd64 [installed,local]
libpython2.7-stdlib/now 2.7.16-2+deb10u1 amd64 [installed,local]
python-minimal/now 2.7.16-1 amd64 [installed,local]
python2-minimal/now 2.7.16-1 amd64 [installed,local]
python2.7-minimal/now 2.7.16-2+deb10u1 amd64 [installed,local]
python2.7/now 2.7.16-2+deb10u1 amd64 [installed,local]
python2/now 2.7.16-1 amd64 [installed,local]
python/now 2.7.16-1 amd64 [installed,local]

root@8bdbc7b42721:/# apt update
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [291 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [10.9 kB]
Fetched 8447 kB in 2s (3867 kB/s)                           
Reading package lists... Done
Building dependency tree       
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
root@8bdbc7b42721:/# apt list --upgradeable
Listing... Done
liblz4-1/stable 1.8.3-1+deb10u1 amd64 [upgradable from: 1.8.3-1]
N: There is 1 additional version. Please use the '-a' switch to see it

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[gilbert-sam-tm]

Thanks! I pulled the latest image and saw the updated versions after running command "apt list | grep python". However when i run the following command "python -V" , it shows: Python 2.7.16

Isn't it supposed to output the latest python version 2.7.16-2+deb10u1 instead?

[tianon]

python -V prints out the version that Python knows, not the Debian package version (which is what 2.7.16-2+deb10u1 is).