Closed aderigs closed 2 years ago
https://linux.oracle.com/errata/ELSA-2021-9344.html lists the related CVE's for glibc
https://security-tracker.debian.org/tracker/CVE-2016-10228
Fixed in 2.31-13
for Bullseye
https://security-tracker.debian.org/tracker/CVE-2019-9169 Fixed in both Debian variants
https://security-tracker.debian.org/tracker/CVE-2020-27618
Fixed in 2.31-13
for Bullseye
https://security-tracker.debian.org/tracker/CVE-2021-3326
Fixed in 2.31-13
for Bullseye
https://security-tracker.debian.org/tracker/CVE-2019-25013
Fixed in 2.31-13
for Bullseye
$ docker run -it --rm openjdk:17-bullseye bash
root@cd79b8d98f93:/# ldd --version
ldd (Debian GLIBC 2.31-13) 2.31
$ docker run -it --rm openjdk:16-bullseye bash
root@3230c643895e:/# ldd --version
ldd (Debian GLIBC 2.31-13) 2.31
There's quite a few variants to pick from so you'll want to check with the respective OS that each is using to see what you'd prefer
See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
For some time now the aws ecr image-scan finds a vulnerability for openjdk:16 and openjdk:17. If you would put openjdk:latest into your private aws ecr you could reproduce this by caliing:
Do you know something about this? Is it a false positive?