search

docker-library / php

Docker Official Image packaging for PHP
https://php.net
MIT License
3.77k stars 2k forks source link

[php:8.3-apache] HIGH Vulnerability on apache <=2.4.57 #1484

Closed cwrx777 closed 5 months ago

cwrx777 commented 5 months ago

Hi,

The following vulnerabilities are found on Apache 2.4.57 which is used in php:8.2-apache and php:8.3-apache.

CVE-2023-31122, CVE-2023-43622, CVE-2023-45802

Please update to apache 2.4.58.

yosifkit commented 5 months ago

None of these are fixed in the Debian package, so there is nothing we can do to update them. The Debian Security Team has marked them as "no-dsa Minor issue", so they are unlikely to backport fixes right now. The "no-dsa" is roughly equivalent to Ubuntu/RedHat/etc marking something as "won't fix", but since Debian is a community driven project, any DD could still propose a backported fix for the package (or later bundled in a fix for a more major security issue).

tianon commented 5 months ago

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

webaholik commented 5 months ago

@yosifkit / @tianon - This may need to be reopened at this point these 3 CVEs shouldn't continue to sit around. The Docker image for httpd:latest also uses Debian, and they have Apache 2.4.58 included.

Please review:

tianon commented 5 months ago

https://github.com/docker-library/php/issues/1453#issuecomment-1927702379

We get our builds of Apache2 from Debian, and the Debian Security Team have declined to fix these (" (Minor issue)" as noted above), and Docker Hub's vulnerability scanning takes this into account: https://hub.docker.com/layers/library/php/apache/images/sha256-ebaa9b96a98463fe81241d70b37e24b3ed885706349aaa55aa43c475704f5c22?context=explore (this is the current php:apache on amd64 -- note these three are not listed there either)