search

docker-library / python

Docker Official Image packaging for Python
https://www.python.org/
MIT License
2.5k stars 1.04k forks source link

There are two new CVEs in open-ssh used by at least shared-tag `3.9`. #896

Open mmynsted opened 6 months ago

mmynsted commented 6 months ago

https://github.com/docker-library/python/blob/2d31ccc9f8487908ded7944a54b8e923eff9ad1f/3.9/bookworm/Dockerfile

CVE-2023-28531

CVE-2023-51385

These two cve's have been found in the python:3.9 container. Both are critical. Remediation requires openssh 9.6 or better. The manifest shows 8.4 being in use.

wimaac commented 6 months ago

Seeing the same issue. Looks like it's the underlying debian version being used?

mmynsted commented 6 months ago

@wimaac, I expect that is true. Both appear to have resolutions. https://security-tracker.debian.org/tracker/source-package/openssh

Perhaps the fix for the Python image is to update to use a resource in fixed status?

LaurentGoderre commented 6 months ago

This is going to be fixed when buildpack-deps ios updated.

mmynsted commented 6 months ago

Is that on a schedule, or when does that happen?

yosifkit commented 6 months ago

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

So, there will likely be a debian rebuild in the coming week or two which would then cause a rebuild of all Official Images from it (like buildpack-deps and python).

wimaac commented 6 months ago

Thanks for the updates!