Open kmeekva opened 1 year ago
@kmeekva, thanks for raising this.
Would it be possible to get a pointer to a public image to verify those issues against? I’m happy to take a look.
Alternatively a Dockerfile
to create an image with this problem would be equally helpful.
Thanks again.
I've tried with the following Dockerfile
trying to set up a test case.
FROM redhat/ubi8
RUN yum -y install python3-urllib3; yum clean all
The resulting image now contains urllib3
in various locations:
{
"type": "pypi",
"name": "urllib3",
"version": "1.24.2",
"purl": "pkg:pypi/urllib3@1.24.2",
"author": "Andrey Petrov",
"licenses": [
"MIT"
],
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO",
"ordinal": 23,
"digest": "sha256:1224788fbfdbcd73e4119977a18662b9317e717e809949e7d88d06aa43dd1004",
"diff_id": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
},
{
"path": "/usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/top_level.txt",
"ordinal": 23,
"digest": "sha256:1224788fbfdbcd73e4119977a18662b9317e717e809949e7d88d06aa43dd1004",
"diff_id": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
}
]
},
and
{
"type": "rpm",
"namespace": "redhatlinux",
"name": "python-urllib3",
"version": "1.24.2-5.el8",
"purl": "pkg:rpm/redhatlinux/python-urllib3@1.24.2-5.el8?os_name=redhatlinux\u0026os_version=8",
"licenses": [
"MIT"
],
"size": 620045,
"locations": [
{
"path": "/var/lib/rpm/Packages",
"ordinal": 23,
"digest": "sha256:1224788fbfdbcd73e4119977a18662b9317e717e809949e7d88d06aa43dd1004",
"diff_id": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
}
]
},
The CVEs are reported are against pkg:pypi/urllib3@1.24.2
which is indeed installed in the image. I think this CVE report is correct?
Please feel free to re-open in case this is still an issue.
RedHat claims that their "fix" for this CVE is included with the -5 version of this package.
See the updated packages tab on this page. https://access.redhat.com/errata/RHSA-2021:1631
Because RH 8 is a long term support release they often back port fixes keeping the older version numbered release installed -- they add a -## to the package name that contains the fixes.
In this case their version -5 is supposed to include the fix for this CVE, but the system is still running the 1.24.2 version -- but with their fixes backported.
So the older package:
python3-urllib3-1.24.2-4.el8.noarch
would be vulnerable -- but the current "patched" version is:
python3-urllib3-1.24.2-5.el8.noarch
It looks like their "fixed" RPM does include the files that are triggering your hit.
yum provides /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO
python3-urllib3-1.24.2-5.el8.noarch : Python3 HTTP library with thread-safe connection Matched from: Filename : /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO
python3-urllib3-1.24.2-5.el8.noarch : Python3 HTTP library with thread-safe connection pooling and file post Repo : ubi-8-baseos-rpms Matched from: Filename : /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO
@cdupuis Not sure how to re-open this?
We are running RedHat 8
The package python3-urllib3-1.24.2-5.el8.noarch is installed.
Scout is showing 3 vulnerabilities for this package:
============= 0C 1H 2M 0L urllib3 1.24.2 pkg:pypi/urllib3@1.24.2
=================
For the first one -- https://scout.docker.com/v/CVE-2021-33503 Redhat website says the first is Not Affected
For the 2nd one https://access.redhat.com/security/cve/CVE-2020-26137 Redhat says it is addressed in the version we have installed: https://access.redhat.com/errata/RHSA-2021:1631 ( if you click on updated packages it shows python-urllib3-1.24.2-5.el8.src.rpm as being updted.
For the 3rd one https://scout.docker.com/vulnerabilities/id/CVE-2019-11236 It says < <1.24.2-2.el8 is vulnerable -- we have python3-urllib3-1.24.2-5.el8.noarch which is greater -- and is the patched version.
Not sure why these are showing as vulnerabilities when we have patched version from redhat.
Could be something to do with the "version" shown in scout finding only has the point release and not the - redhat modified version that contains the backport of the fixes.
e.g SCOUT thinks we have pkg:pypi/urllib3@1.24.2 but we have 1.24.2-5