search

fluent / fluent-bit-docker-image

Docker image for Fluent Bit
https://hub.docker.com/r/fluent/fluent-bit/
Apache License 2.0
67 stars 75 forks source link

Security patching of fluent bit latest docker image #29

Open remidinishanth-ntnx opened 4 years ago

remidinishanth-ntnx commented 4 years ago

Looks like the latest version of fluent bit also has lot of security Vulnerabilities. Is there any action towards patching these?

fluent/fluent-bit:latest (debian 9.11)
======================================
Total: 30 (UNKNOWN: 0, LOW: 2, MEDIUM: 23, HIGH: 5, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| libc6      | CVE-2018-1000001 | HIGH     | 2.24-11+deb9u4    |               | glibc: realpath() buffer       |
|            |                  |          |                   |               | underflow when getcwd()        |
|            |                  |          |                   |               | returns relative path allows   |
|            |                  |          |                   |               | privilege escalation...        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2018-6485    |          |                   |               | glibc: Integer overflow in     |
|            |                  |          |                   |               | posix_memalign in memalign     |
|            |                  |          |                   |               | functions                      |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2018-6551    |          |                   |               | glibc: integer overflow in     |
|            |                  |          |                   |               | malloc functions               |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010022 |          |                   |               | glibc: stack guard protection  |
|            |                  |          |                   |               | bypass                         |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-9169    |          |                   |               | glibc: regular-expression      |
|            |                  |          |                   |               | match via proceed_next_node    |
|            |                  |          |                   |               | in posix/regexec.c leads to    |
|            |                  |          |                   |               | heap-based buffer over-read... |
+            +------------------+----------+                   +---------------+--------------------------------+
|            | CVE-2009-5155    | MEDIUM   |                   |               | glibc: parse_reg_exp in        |
|            |                  |          |                   |               | posix/regcomp.c misparses      |
|            |                  |          |                   |               | alternatives leading to denial |
|            |                  |          |                   |               | of service or...               |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-4051    |          |                   |               | CVE-2010-4052 glibc:           |
|            |                  |          |                   |               | De-recursivise regular         |
|            |                  |          |                   |               | expression engine              |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-4052    |          |                   |               | CVE-2010-4051 CVE-2010-4052    |
|            |                  |          |                   |               | glibc: De-recursivise regular  |
|            |                  |          |                   |               | expression engine              |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-4756    |          |                   |               | glibc: glob implementation can |
|            |                  |          |                   |               | cause excessive CPU and memory |
|            |                  |          |                   |               | consumption due to...          |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2015-8985    |          |                   |               | glibc: potential denial of     |
|            |                  |          |                   |               | service in pop_fail_stack()    |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2016-10228   |          |                   |               | glibc: iconv program can       |
|            |                  |          |                   |               | hang when invoked with the -c  |
|            |                  |          |                   |               | option                         |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2016-10739   |          |                   |               | glibc: getaddrinfo should      |
|            |                  |          |                   |               | reject IP addresses with       |
|            |                  |          |                   |               | trailing characters            |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2017-12132   |          |                   |               | glibc: Fragmentation attacks   |
|            |                  |          |                   |               | possible when EDNS0 is enabled |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2018-20796   |          |                   |               | glibc: uncontrolled            |
|            |                  |          |                   |               | recursion in function          |
|            |                  |          |                   |               | check_dst_limits_calc_pos_1 in |
|            |                  |          |                   |               | posix/regexec.c                |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010023 |          |                   |               | glibc: running ldd on          |
|            |                  |          |                   |               | malicious ELF leads to code    |
|            |                  |          |                   |               | execution because of...        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using cache |
|            |                  |          |                   |               | of thread stack and heap       |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010025 |          |                   |               | glibc: information disclosure  |
|            |                  |          |                   |               | of heap addresses of           |
|            |                  |          |                   |               | pthread_created thread         |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-6488    |          |                   |               | glibc: Incorrect attempt to    |
|            |                  |          |                   |               | use a 64-bit register for      |
|            |                  |          |                   |               | size_t in assembly...          |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-9192    |          |                   |               | glibc: uncontrolled            |
|            |                  |          |                   |               | recursion in function          |
|            |                  |          |                   |               | check_dst_limits_calc_pos_1 in |
|            |                  |          |                   |               | posix/regexec.c                |
+            +------------------+----------+                   +---------------+--------------------------------+
|            | CVE-2019-19126   | LOW      |                   |               | glibc:                         |
|            |                  |          |                   |               | LD_PREFER_MAP_32BIT_EXEC not   |
|            |                  |          |                   |               | ignored in setuid binaries     |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-7309    |          |                   |               | glibc: memcmp function         |
|            |                  |          |                   |               | incorrectly returns zero       |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| libgcc1    | CVE-2018-12886   | MEDIUM   | 6.3.0-18+deb9u1   |               | gcc: spilling of stack         |
|            |                  |          |                   |               | protection address in          |
|            |                  |          |                   |               | cfgexpand.c and function.c     |
|            |                  |          |                   |               | leads to...                    |
+------------+                  +          +                   +---------------+                                +
| libgomp1   |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
+------------+------------------+          +-------------------+---------------+--------------------------------+
| libssl1.1  | CVE-2007-6755    |          | 1.1.0l-1~deb9u1   |               | Dual_EC_DRBG: weak pseudo      |
|            |                  |          |                   |               | random number generator        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-0928    |          |                   |               | openssl: RSA authentication    |
|            |                  |          |                   |               | weakness                       |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1551    |          |                   |               | openssl: Integer overflow in   |
|            |                  |          |                   |               | RSAZ modular exponentiation on |
|            |                  |          |                   |               | x86_64                         |
+------------+------------------+          +-------------------+---------------+--------------------------------+
| libstdc++6 | CVE-2018-12886   |          | 6.3.0-18+deb9u1   |               | gcc: spilling of stack         |
|            |                  |          |                   |               | protection address in          |
|            |                  |          |                   |               | cfgexpand.c and function.c     |
|            |                  |          |                   |               | leads to...                    |
+------------+------------------+          +-------------------+---------------+--------------------------------+
| openssl    | CVE-2007-6755    |          | 1.1.0l-1~deb9u1   |               | Dual_EC_DRBG: weak pseudo      |
|            |                  |          |                   |               | random number generator        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-0928    |          |                   |               | openssl: RSA authentication    |
|            |                  |          |                   |               | weakness                       |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1551    |          |                   |               | openssl: Integer overflow in   |
|            |                  |          |                   |               | RSAZ modular exponentiation on |
|            |                  |          |                   |               | x86_64                         |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
edsiper commented 4 years ago

as of v1.4 release next week, we are upgrading to debian buster image.