rabbitmq - alpine - CVE-2024-45490, CVE-2024-45491, CVE-2024-45492

docker-library / rabbitmq

Docker Official Image packaging for RabbitMQ

http://www.rabbitmq.com/

MIT License

785 stars 417 forks source link

rabbitmq - alpine - CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 #722

Closed sherifkayad closed 2 months ago

sherifkayad commented 2 months ago

Currently the RabbitMQ Alpine image (in the most recent 3.13.7 version) is reporting the following 3 critical vulnerabilities:

CVE-2024-45490
CVE-2024-45491
CVE-2024-45492

Seems like all 3 are caused by libexpat and in the version 2.6.3-r0 they seem to be fixed. Not sure if I should report this issue here or rather in the alpine project

lukebakken commented 2 months ago

Erlang does not use libxpat, and thus, neither does RabbitMQ. In addition, there's not really anything this project can do but wait for a newer Alpine release to use.

tianon commented 2 months ago

You might also find the information in https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves helpful.