search

docker-library / ruby

Docker Official Image packaging for Ruby
http://www.ruby-lang.org/
BSD 2-Clause "Simplified" License
590 stars 334 forks source link

Alpine 3.16 base image vulnerable to CVE-2023-24056 #402

Closed shodhangk closed 11 months ago

shodhangk commented 1 year ago

The current 3.16 base image is vulnerable to cve-2023-24056

The alpine base image has provided the fix but is still not updated in the ruby images.

Can anyone update the image the ruby:3.0.5-alpine3.16?

Issue:

image
severinkaelin commented 1 year ago

@shodhangk Aren't you referring to the wrong CVE in the title of this issue? According to the screenshot it is CVE-2023-24056.

shodhangk commented 1 year ago

@shodhangk Aren't you referring to the wrong CVE in the title of this issue? According to the screenshot it is CVE-2023-24056.

yeah. I copied the wrong CVE. i have updated the title

severinkaelin commented 1 year ago

@shodhangk Aren't you referring to the wrong CVE in the title of this issue? According to the screenshot it is CVE-2023-24056.

yeah. I copied the wrong CVE. i have updated the title

👍 Thanks

I agree, it would be great to see updated images being released. We're currently updating the pkgconf package ourselves in our own Docker images based on the official ruby ones.

tianon commented 1 year ago

This particular defect doesn't seem particularly critical or even relevant for most users of the ruby image? :sweat_smile:

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for some general information about how CVEs are normally handled within the Official Images program (the short version being that they're typically expected to be managed by updates to the base image, although Alpine updates on a bit of a sporadic schedule).

severinkaelin commented 1 year ago

This particular defect doesn't seem particularly critical or even relevant for most users of the ruby image? 😅

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for some general information about how CVEs are normally handled within the Official Images program (the short version being that they're typically expected to be managed by updates to the base image, although Alpine updates on a bit of a sporadic schedule).

@tianon Thanks for the link and the details on how CVEs are handled. Makes sense! Sure, even though it's a 9.8 critical CVE, it's very likely not that critical for most users in the ruby context. For us it is mainly blocking strict security CI steps in certain projects. However, updating the package ourselves in images based on the official ones works perfectly fine.