search

kubesphere / s2i-python-container

Apache License 2.0
5 stars 5 forks source link

Security issues found by trivy #15

Open LinuxSuRen opened 2 years ago

LinuxSuRen commented 2 years ago

Trivy finds some security issue of the image:

+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY |  INSTALLED VERSION   |      FIXED VERSION      |                   TITLE                    |
+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+
| bind-license     | CVE-2020-8625    | HIGH     | 32:9.11.4-26.P2.el7  | 32:9.11.4-26.P2.el7_9.4 | bind: Buffer overflow in the SPNEGO        |
|                  |                  |          |                      |                         | implementation affecting GSSAPI            |
|                  |                  |          |                      |                         | security policy negotiation...             |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2020-8625       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-25215   |          |                      | 32:9.11.4-26.P2.el7_9.5 | bind: An assertion check                   |
|                  |                  |          |                      |                         | can fail while answering                   |
|                  |                  |          |                      |                         | queries for DNAME records...               |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-25215      |
+------------------+------------------+          +----------------------+-------------------------+--------------------------------------------+
| glib2            | CVE-2015-8385    |          | 2.56.1-7.el7         |                         | pcre: buffer overflow caused               |
|                  |                  |          |                      |                         | by named forward reference                 |
|                  |                  |          |                      |                         | to duplicate group number...               |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2015-8385       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2016-3191    |          |                      |                         | pcre: workspace overflow for               |
|                  |                  |          |                      |                         | (*ACCEPT) with deeply nested               |
|                  |                  |          |                      |                         | parentheses (8.39/13, 10.22/12)            |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2016-3191       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-27219   |          |                      | 2.56.1-9.el7_9          | glib: integer overflow in                  |
|                  |                  |          |                      |                         | g_bytes_new function on                    |
|                  |                  |          |                      |                         | 64-bit platforms due to an...              |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-27219      |
+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+
| glibc            | CVE-2019-1010022 | CRITICAL | 2.17-324.el7_9       |                         | glibc: stack guard protection bypass       |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2019-1010022    |
+------------------+                  +          +                      +-------------------------+                                            +
| glibc-common     |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+                  +          +                      +-------------------------+                                            +
| glibc-devel      |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+                  +          +                      +-------------------------+                                            +
| glibc-headers    |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+
| kernel-headers   | CVE-2016-5195    | HIGH     | 3.10.0-1160.25.1.el7 | 4.5.0-15.2.1.el7        | kernel: mm: privilege escalation           |
|                  |                  |          |                      |                         | via MAP_PRIVATE COW breakage               |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2016-5195       |
+                  +------------------+          +                      +                         +--------------------------------------------+
|                  | CVE-2016-7039    |          |                      |                         | kernel: remotely triggerable               |
|                  |                  |          |                      |                         | unbounded recursion in the                 |
|                  |                  |          |                      |                         | vlan gro code leading to...                |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2016-7039       |
+                  +------------------+          +                      +                         +--------------------------------------------+
|                  | CVE-2016-8666    |          |                      |                         | kernel: Remotely triggerable               |
|                  |                  |          |                      |                         | recursion in GRE code                      |
|                  |                  |          |                      |                         | leading to kernel crash                    |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2016-8666       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2018-20976   |          |                      |                         | kernel: use-after-free                     |
|                  |                  |          |                      |                         | in fs/xfs/xfs_super.c                      |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2018-20976      |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2020-12362   |          |                      | 3.10.0-1160.31.1.el7    | kernel: Integer overflow in                |
|                  |                  |          |                      |                         | Intel(R) Graphics Drivers                  |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2020-12362      |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2020-8834    |          |                      |                         | Kernel: ppc: kvm: conflicting              |
|                  |                  |          |                      |                         | use of HSTATE_HOST_R1 to                   |
|                  |                  |          |                      |                         | store r1 state leads...                    |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2020-8834       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-0512    |          |                      |                         | kernel: out-of-bounds write due            |
|                  |                  |          |                      |                         | to a heap buffer overflow in               |
|                  |                  |          |                      |                         | __hidinput_change_resolution_multipliers() |
|                  |                  |          |                      |                         | of... -->avd.aquasec.com/nvd/cve-2021-0512 |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-22543   |          |                      | 3.10.0-1160.45.1.el7    | kernel: Improper handling                  |
|                  |                  |          |                      |                         | of VM_IO|VM_PFNMAP vmas in                 |
|                  |                  |          |                      |                         | KVM can bypass RO checks...                |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-22543      |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-3347    |          |                      | 3.10.0-1160.31.1.el7    | kernel: Use after free                     |
|                  |                  |          |                      |                         | via PI futex state                         |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-3347       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-3609    |          |                      |                         | kernel: race condition                     |
|                  |                  |          |                      |                         | in net/can/bcm.c leads to                  |
|                  |                  |          |                      |                         | local privilege escalation                 |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-3609       |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-37576   |          |                      | 3.10.0-1160.45.1.el7    | kernel: powerpc: KVM guest                 |
|                  |                  |          |                      |                         | OS users can cause host                    |
|                  |                  |          |                      |                         | OS memory corruption...                    |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-37576      |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-38160   |          |                      |                         | kernel: data corruption                    |
|                  |                  |          |                      |                         | or loss can be triggered                   |
|                  |                  |          |                      |                         | by an untrusted device...                  |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-38160      |
+                  +------------------+          +                      +-------------------------+--------------------------------------------+
|                  | CVE-2021-4028    |          |                      |                         | kernel: use-after-free                     |
|                  |                  |          |                      |                         | in RDMA listen()                           |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-4028       |
+------------------+------------------+          +----------------------+-------------------------+--------------------------------------------+
| libX11           | CVE-2021-31535   |          | 1.6.7-3.el7_9        | 1.6.7-4.el7_9           | libX11: missing request length checks      |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-31535      |
+------------------+                  +          +                      +                         +                                            +
| libX11-common    |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+                  +          +                      +                         +                                            +
| libX11-devel     |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+
| nss              | CVE-2021-43527   | CRITICAL | 3.53.1-3.el7_9       | 3.67.0-4.el7_9          | nss: Memory corruption in                  |
|                  |                  |          |                      |                         | decodeECorDsaSignature with                |
|                  |                  |          |                      |                         | DSA signatures (and RSA-PSS)               |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-43527      |
+------------------+                  +          +                      +                         +                                            +
| nss-sysinit      |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+                  +          +                      +                         +                                            +
| nss-tools        |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+
| postgresql       | CVE-2021-32027   | HIGH     | 9.2.24-6.el7_9       | 9.2.24-7.el7_9          | postgresql: Buffer overrun                 |
|                  |                  |          |                      |                         | from integer overflow in array             |
|                  |                  |          |                      |                         | subscripting calculations                  |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2021-32027      |
+------------------+                  +          +                      +                         +                                            +
| postgresql-devel |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+                  +          +                      +                         +                                            +
| postgresql-libs  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+------------------+          +----------------------+-------------------------+--------------------------------------------+
| sqlite           | CVE-2019-5827    |          | 3.7.17-8.el7_7.1     |                         | sqlite: out-of-bounds access               |
|                  |                  |          |                      |                         | due to the use of 32-bit                   |
|                  |                  |          |                      |                         | memory allocator interfaces...             |
|                  |                  |          |                      |                         | -->avd.aquasec.com/nvd/cve-2019-5827       |
+------------------+                  +          +                      +-------------------------+                                            +
| sqlite-devel     |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
|                  |                  |          |                      |                         |                                            |
+------------------+------------------+----------+----------------------+-------------------------+--------------------------------------------+

Python (python-pkg)
===================
Total: 1 (HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| pip     | CVE-2019-20916   | HIGH     | 9.0.1             |          19.2 | python-pip: directory traversal       |
|         |                  |          |                   |               | in _download_http_url() function      |
|         |                  |          |                   |               | in src/pip/_internal/download.py      |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-20916 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
LinuxSuRen commented 2 years ago

/help

ks-ci-bot commented 2 years ago

@LinuxSuRen: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubesphere/s2i-python-container/issues/15): >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.