ChristianGeie
commented
1 year ago Thx for contributing. As soon as the upstream base image contains the corresponding changes, we will also make them available here. Hence please scan python:3.11.4-alpine3.18 and send the report to https://github.com/docker-library/python
bt909
Hello,
A recent security scan showed the following security vulnerabilities in the latest release, kiwigrid/k8s-sidecar v1.25.0.
CVE-2023-37920 Package: certifi 2023.5.7 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra\'s root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.
PRISMA-2022-0168 Package: pip 23.1.2 An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. This vulnerability was first assigned with CVE-2018-20225, but it is still under dispute. However, this vulnerability still poses a threat when using the --extra-index-url.
I wanted to pass this along to the kiwigrid team and ask if there were any plans to update the affected packages in an upcoming release.
Thank you, Amr Hosni