yosifkit
commented
2 years ago - "use after free", aka https://security-tracker.debian.org/tracker/CVE-2021-33574:
<no-dsa> (Minor issue) - https://security-tracker.debian.org/tracker/CVE-2020-16156:
<no-dsa> (Minor issue) - https://security-tracker.debian.org/tracker/CVE-2021-43618: fix available in Debian Bullseye
- "information exposure", aka https://security-tracker.debian.org/tracker/CVE-2021-33560:
<no-dsa> (Minor issue)
Three of them will likely never be fixed (within a Stable release of Debian) as they were deemed a "minor issue" by the the Debian Security Team. As, for the one with a fix available, that will be automatic when a the Debian images are republished and we rebuild all dependent images:
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
Hey All,
Any plans to release a patch for the high severity vulnerabilities reported here :
https://snyk.io/test/docker/openjdk%3A11-jre-slim
Thanks a lot for your usual support !