thockin
commented
8 months ago I need to cut a 4.2.0 release anyway. :)
Closed kingnarmer closed 8 months ago
thockin
commented
8 months ago I need to cut a 4.2.0 release anyway. :)
thockin
commented
8 months ago 
kingnarmer
commented
8 months ago Thanks for quick response.
hanleybrand
commented
8 months ago I pushed v4.2.0 to our harbor instance this morning.
In case it's helpful, these are the outstanding critical/high vulnerabilities -- some of the non-git issues are introduced by the base image (e.g the zlib1g vulnerability), and aren't really fixable. Upgrading git to 2.39.3, or higher should remediate the git vulnerabilities (but the debian git package 1:2.43.0 is still experimental)
Level: Critical zlib1g 1:1.2.13.dfsg-1 Description: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.
Level: High git 1:2.39.2-1.1 Description: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to
git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch).A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using
git applywith--rejectwhen applying patches from an untrusted source. Usegit apply --statto inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the*.rejfile exists.
Level: High git 1:2.39.2-1.1 Description: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
.gitmodulesfile with submodule URLs that are longer than 1024 characters can used to exploit a bug inconfig.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's$GIT_DIR/configwhen attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such ascore.pager,core.editor,core.sshCommand, etc.) this can lead to a remote code execution.A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
git submodule deiniton untrusted repositories or without prior inspection of any submodule sections in$GIT_DIR/config.
Level: High libldap-2.5-0 2.5.13+dfsg-5
Description: A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.
Level: High perl 5.36.0-7+deb12u1 Description: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Level: High openssh-client 1:9.2p1-2+deb12u2 Description: OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
thockin
commented
8 months ago I pretty much depend on the base image to fix such CVEs. If Debian decides that (for example) https://security-tracker.debian.org/tracker/CVE-2023-29007 is a minor issue and doesn't provide a fix, I don't have a lot of good options. I can apply backports, but I don't want to just do that blindly,
When debian updates are available, I can quickly cut a new image.
Was wondering if possible to remediate image 4.1.0 security vulnerabilities
trivy image --ignore-unfixed --severity HIGH,CRITICAL registry.k8s.io/git-sync/git-sync:v4.1.0 --scanners vuln
Total: 5 (HIGH: 4, CRITICAL: 1)
Scan results attached. git-sync-scan.txt