Closed abinet closed 2 years ago
+1 I can confirm that these are fixed in buildpack-dep. The current images need to be rebuilt.
The fix is not in buildpack-deps
, otherwise it would already be in the openjdk image. All official-images trigger rebuilds of dependent images.
$ docker pull buildpack-deps:bullseye-scm
bullseye-scm: Pulling from library/buildpack-deps
0c6b8ff8c37e: Already exists
412caad352a3: Already exists
e6d3e61f7a50: Already exists
461bb1d8c517: Already exists
Digest: sha256:8e8613840d8cc7ad4e0bc47ade2080d86a04c7cd6903fe4522975720ad393bad
Status: Downloaded newer image for buildpack-deps:bullseye-scm
docker.io/library/buildpack-deps:bullseye-scm
docker run -it --rm buildpack-deps:bullseye-scm
root@fe9164b7970a:/# apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [120 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2596 B]
Fetched 8505 kB in 1s (7287 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
root@fe9164b7970a:/# apt list --upgradable
Listing... Done
libexpat1/stable-security 2.2.10-2+deb11u2 amd64 [upgradable from: 2.2.10-2]
N: There is 1 additional version. Please use the '-a' switch to see it
As for the CVEs, my comment is still the same as https://github.com/docker-library/python/issues/699#issuecomment-1040583314. As luck would have it, we will likely be doing the regular Debian rebuild in the next few days. Once it is merged to https://github.com/docker-library/official-images, this would trigger rebuilds of all images FROM
it, recursively. The rebuilds usually take a few days to complete all of them.
I see where I confused myself......
The CVEs in question are for libexpat1, as you stated above. I ran a scan against buildpack-deps:bullseye-curl, the FROM line in OpenJDK. When that scan came back clean, I assumed it was fixed in buildpack-deps:bullseye-curl.
It turns out that libexpat1 is not installed in buildpack-deps:bullseye-curl. libexpat1 gets installed as a dependency to fontconfig.
I think a rebuild of the bullseye OpenJDK would fix these CVEs.
https://snyk.io/test/docker/openjdk%3A11-jre-bullseye
https://security.snyk.io/vuln/SNYK-DEBIAN11-EXPAT-2331802