CVE-2024-37370 and CVE-2024-37371 on 3.11-slim-bullseye and 3.12-slim-bullseye

[jose-cdevx]

Found with trivy by running:

trivy image -f json -o results-trivy.json --scanners vuln --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL --exit-code 1 --timeout 3600s python:3.11-slim-bullseye

trivy convert --format table results-trivy.json

[yosifkit]

See https://github.com/debuerreotype/docker-debian-artifacts/issues/223#issuecomment-2218679099 with the note that the comment was made a week ago, so the next Debian rebuild would be likely sometime next week or possibly the week after at the latest (which would then cause a rebuild of the Debian based python images and they would use updated packages from Debian).

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (i.e., an image FROM debian:bullseye would be rebuilt when debian:bullseye is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[tianon]

https://github.com/docker-library/official-images/pull/17227 :+1: