[Vulnerability] debian libfreetype6 2.9.1 in docker image openvsx-server (CVE-2020-15999)

eclipse / openvsx

An open-source registry for VS Code extensions

https://open-vsx.org/

Eclipse Public License 2.0

1.2k stars 131 forks source link

[Vulnerability] debian libfreetype6 2.9.1 in docker image openvsx-server (CVE-2020-15999) #466

Open amtadev opened 2 years ago

amtadev commented 2 years ago

I downloaded and scanned openvsx-server docker image version 72706d1, and found that it has/uses/references debian libfreetype6 2.9.1-3+deb10u1 (CVE-2020-15999).

could you confirm if this is actually used within the image? And if yes, are there any plans to update it to >= 2.10.4?

amvanbaren commented 2 years ago

@amtadev How are CefSharp and libfreetype6 2.9.1-3+deb10u1 related?

amtadev commented 2 years ago

freetype is a font rendering engine library which is used by cefSharp and chromium. Google chrome version 86.0.4240.111 or newer has this vulnerability patched, but that of course depends on the user/client. https://nvd.nist.gov/vuln/detail/CVE-2020-15999