eddelbuettel / r2u

CRAN as Ubuntu Binaries
https://eddelbuettel.github.io/r2u
247 stars 17 forks source link

Security vulnerability found in python3.10 #27

Closed psolymos closed 1 year ago

psolymos commented 1 year ago

Hi Dirk,

A recent build on ECR that used snyk to scan for vulnerabilities flagged a high severity vulnerability related to Python 3.10 libraries that is fixed in version 3.10.6-1.

Link to full description of the vulnerability: https://security.snyk.io/vuln/SNYK-UBUNTU2204-PYTHON310-3098759

Impacted docker images: eddelbuettel/r2u:22.04 and eddelbuettel/r2u:jammy

Proposed fix: Upgrade Ubuntu:22.04 python3.10 to version 3.10.6-1~22.04.1 or higher. apt upgrade in the Dockerfile should take care of this and a new push to registry.

Thanks! These images are still the best.

eddelbuettel commented 1 year ago

You are always welcome to build containers yourself from our public Dockerfiles. We do this as volunters, and r2u is built on r-bspm which is build on r-ubuntu so .. turtles all the way down. I have rebuilt all three from the inside out and pushed. Twice, once for jammy and once for 22.04

What about focal aka 20.04?

And yes, it's getting used. We are hitting several tens of thousands of packages now. All good.

psolymos commented 1 year ago

I have some derived images that I can update on my end. I just wanted to flag this because I saw the r2u images were 3 months old. Thank you for your work on r2u and the updated images!

The status for focal (20.04) is not clear to me, the Canonical website mentions "Does not exist" (https://ubuntu.com/security/CVE-2022-42919)

eddelbuettel commented 1 year ago

I suspected -- but was in rush. I now see that under focal we have

root@29b6c42e6c82:/# python3 --version
Python 3.8.10
root@29b6c42e6c82:/# 

so it doesn't apply. Thanks again for the heads-up. This should be taken care of.