Apache HTTP Server 2.4.58 security fixes for: CVE-2023-45802, CVE-2023-43622, and CVE-2023-31122

[adeleke-aat]

Apache HTTP Server 2.4.58 was released on 19/10/23 which includes security fixes for CVE-2023-45802, CVE-2023-43622, and CVE-2023-31122

[yosifkit]

The php images just use Apache HTTP server from Debian packages and there are no fixes available, so there is nothing we can do to update the image. (The Debian Security Team is very good at applying fixes for important security updates; I am unsure why there is no message as to why they are not fixed.)

• https://security-tracker.debian.org/tracker/CVE-2023-45802
• https://security-tracker.debian.org/tracker/CVE-2023-43622
• https://security-tracker.debian.org/tracker/CVE-2023-31122

[adeleke-aat]

Okay, thanks for the response.

[tianon]

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

[webaholik]

@yosifkit - This may need to be reopened at this point these 3 CVEs shouldn't continue to sit around. The Docker image for httpd:latest also uses Debian, and they have Apache 2.4.58 included.

Please review:

• https://hub.docker.com/layers/library/httpd/latest/images/sha256-ecf19d91df773a43b1df424b77dfe42e992129de74919ce40f764f57e1f1fe85?context=explore
• https://github.com/docker-library/httpd/blob/89aed068235d9a480f245e03edf038621ab8ed8f/2.4/Dockerfile

[tianon]

We get our builds of Apache2 from Debian, and the Debian Security Team have declined to fix these (" (Minor issue)" as noted above), and Docker Hub's vulnerability scanning takes this into account: https://hub.docker.com/layers/library/php/apache/images/sha256-ebaa9b96a98463fe81241d70b37e24b3ed885706349aaa55aa43c475704f5c22?context=explore (this is the current php:apache on amd64 -- note these three are not listed there either)