Vulnerable components (CVEs) in docker images

According to Docker Store, the latest 9.6.3 has 4 vulnerable components:

In Bash: CVE-2017-5932 The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a " (double quote) character and a command substitution metacharacter.

CVE-2016-9401 popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.

In pcre: CVE-2015-3217 PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\.|([^\\W_])?)+)+$/.

CVE-2017-6004 The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

In expat: CVE-2016-6702 A remote code execution vulnerability in libjpeg in Android 4.x before 4.4.4, 5.0.x before 5.0.2, and 5.1.x before 5.1.1 could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses libjpeg. Android ID: A-30259087.

In libxml2: CVE-2016-4448 CVE-2016-9318 CVE-2017-8872 CVE-2015-6838 CVE-2015-6837 CVE-2017-5969

Full details of scan (Requires logging in with your Docker Hub account): https://store.docker.com/images/postgres/plans/cfa7881b-dad1-4d72-8dca-58b5d15bfc71/scans/library/postgres/9.6.3

We get these reports quite often, and they usually involve a large amount of digging which ends up in very little which is actionable. See the list below for an example of where I dove into a lot of these reports and found most of them to be either false positives or out of our hands (because Debian upstream hasn't patched the vulnerabilities, usually because they looked into it and deemed it to be a minor issue).

If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

CVE-2017-5932, fixed in the version that is installed, https://security-tracker.debian.org/tracker/CVE-2017-5932
CVE-2016-9401, "[jessie] - bash (Minor issue)", https://security-tracker.debian.org/tracker/CVE-2016-9401. In other words the Debian Security Team has decided not to port the upstream fixes to the version available in Debian Jessie (RedHat has also not published a fix for bash in RHEL 7).
CVE-2015-3217, "[jessie] - pcre3 (Minor issue)",, https://security-tracker.debian.org/tracker/CVE-2015-3217 (many of the RedHat packages with this CVE are "will not fix" for RHEL 7)
CVE-2017-6004, fixed in the version that is installed, https://security-tracker.debian.org/tracker/CVE-2017-6004
CVE-2016-6702, not applicable to Debian since it is an Android specific patch, https://security-tracker.debian.org/tracker/CVE-2016-6702
CVE-2016-4448, "Minor impact; too intrusive to backport", https://security-tracker.debian.org/tracker/CVE-2016-4448
CVE-2016-9318, "[jessie] - libxml2 (Minor issue)", https://security-tracker.debian.org/tracker/CVE-2016-9318
CVE-2017-8872, [jessie] - libxml2 (Minor issue)", https://security-tracker.debian.org/tracker/CVE-2017-8872
CVE-2015-6838, PHP bug not libxml2, https://security-tracker.debian.org/tracker/CVE-2015-6838
CVE-2015-6837, PHP bug not libxml2, https://security-tracker.debian.org/tracker/CVE-2015-6837
CVE-2017-5969, "[jessie] - libxml2 (Minor issue, only a denial-of-service when using recover mode)" https://security-tracker.debian.org/tracker/CVE-2017-5969

docker-library / postgres

Vulnerable components (CVEs) in docker images #286