search

linuxserver / docker-jellyfin

GNU General Public License v3.0
630 stars 94 forks source link

Vulnerabilities in image. Scanned container with trivy #140

Closed dillbyrne closed 2 years ago

dillbyrne commented 2 years ago

linuxserver.io

Expected Behavior

No known vulnerabilities

Current Behavior

Update the base image that is shared across many LS images,

Steps to Reproduce

  1. scan the image with trivy https://github.com/aquasecurity/trivy
  2. see the results below

Environment

Image version: linuxserver/jellyfin:10.7.7-1-ls146 OS: Debian 11 CPU architecture: x86_64 How docker service was installed: from the official docker repo

Command used to create docker container (compose)

jellyfin:
    image: linuxserver/jellyfin:10.7.7-1-ls146
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Spain
    volumes:
      - ./jellyfin/config:/config
      - ./content/Movies:/data/Movies:ro
      - ./content/Shows:/data/Shows:ro
    networks:
      - reverse-proxy_jellyfin
    security_opt:
      - no-new-privileges
    expose:
      - 8096
    restart: unless-stopped

Results of scan

linuxserver/jellyfin:10.7.7-1-ls146 (ubuntu 20.04)
==================================================
Total: 71 (UNKNOWN: 0, LOW: 55, MEDIUM: 16, HIGH: 0, CRITICAL: 0)

+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY |    INSTALLED VERSION     |   FIXED VERSION   |                  TITLE                  |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| bash                 | CVE-2019-18276   | LOW      | 5.0-6ubuntu1.1           |                   | bash: when effective UID is not         |
|                      |                  |          |                          |                   | equal to its real UID the...            |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-18276   |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| coreutils            | CVE-2016-2781    |          | 8.30-3ubuntu2            |                   | coreutils: Non-privileged               |
|                      |                  |          |                          |                   | session can escape to the               |
|                      |                  |          |                          |                   | parent session in chroot                |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2016-2781    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| krb5-locales         | CVE-2021-36222   | MEDIUM   | 1.17-6ubuntu4.1          |                   | krb5: Sending a request containing      |
|                      |                  |          |                          |                   | PA-ENCRYPTED-CHALLENGE padata           |
|                      |                  |          |                          |                   | element without using FAST could...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-36222   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2018-5709    | LOW      |                          |                   | krb5: integer overflow                  |
|                      |                  |          |                          |                   | in dbentry->n_key_data                  |
|                      |                  |          |                          |                   | in kadmin/dbutil/dump.c                 |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-5709    |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libasn1-8-heimdal    | CVE-2021-3671    |          | 7.7.0+dfsg-1ubuntu1      |                   | samba: Null pointer dereference         |
|                      |                  |          |                          |                   | on missing sname in TGS-REQ             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3671    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libass9              | CVE-2020-36430   | MEDIUM   | 1:0.14.0-2               |                   | libass 0.15.x before 0.15.1 has         |
|                      |                  |          |                          |                   | a heap-based buffer overflow            |
|                      |                  |          |                          |                   | in decode_chars (called...              |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-36430   |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libc-bin             | CVE-2021-35942   |          | 2.31-0ubuntu9.2          |                   | glibc: Arbitrary read in wordexp()      |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-35942   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-38604   |          |                          |                   | glibc: NULL pointer dereference in      |
|                      |                  |          |                          |                   | helper_thread() in mq_notify.c while    |
|                      |                  |          |                          |                   | handling NOTIFY_REMOVED messages...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-38604   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2016-10228   | LOW      |                          |                   | glibc: iconv program can hang           |
|                      |                  |          |                          |                   | when invoked with the -c option         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2019-25013   |          |                          |                   | glibc: buffer over-read in              |
|                      |                  |          |                          |                   | iconv when processing invalid           |
|                      |                  |          |                          |                   | multi-byte input sequences in...        |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-27618   |          |                          |                   | glibc: iconv when processing            |
|                      |                  |          |                          |                   | invalid multi-byte input                |
|                      |                  |          |                          |                   | sequences fails to advance the...       |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-27618   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-29562   |          |                          |                   | glibc: assertion failure in iconv       |
|                      |                  |          |                          |                   | when converting invalid UCS4            |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-6096    |          |                          |                   | glibc: signed comparison                |
|                      |                  |          |                          |                   | vulnerability in the                    |
|                      |                  |          |                          |                   | ARMv7 memcpy function                   |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-27645   |          |                          |                   | glibc: Use-after-free in                |
|                      |                  |          |                          |                   | addgetnetgrentX function                |
|                      |                  |          |                          |                   | in netgroupcache.c                      |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-27645   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-3326    |          |                          |                   | glibc: Assertion failure in             |
|                      |                  |          |                          |                   | ISO-2022-JP-3 gconv module              |
|                      |                  |          |                          |                   | related to combining characters         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3326    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-33574   |          |                          |                   | glibc: mq_notify does                   |
|                      |                  |          |                          |                   | not handle separately                   |
|                      |                  |          |                          |                   | allocated thread attributes             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-33574   |
+----------------------+------------------+----------+                          +-------------------+-----------------------------------------+
| libc6                | CVE-2021-35942   | MEDIUM   |                          |                   | glibc: Arbitrary read in wordexp()      |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-35942   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-38604   |          |                          |                   | glibc: NULL pointer dereference in      |
|                      |                  |          |                          |                   | helper_thread() in mq_notify.c while    |
|                      |                  |          |                          |                   | handling NOTIFY_REMOVED messages...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-38604   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2016-10228   | LOW      |                          |                   | glibc: iconv program can hang           |
|                      |                  |          |                          |                   | when invoked with the -c option         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2019-25013   |          |                          |                   | glibc: buffer over-read in              |
|                      |                  |          |                          |                   | iconv when processing invalid           |
|                      |                  |          |                          |                   | multi-byte input sequences in...        |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-27618   |          |                          |                   | glibc: iconv when processing            |
|                      |                  |          |                          |                   | invalid multi-byte input                |
|                      |                  |          |                          |                   | sequences fails to advance the...       |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-27618   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-29562   |          |                          |                   | glibc: assertion failure in iconv       |
|                      |                  |          |                          |                   | when converting invalid UCS4            |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-6096    |          |                          |                   | glibc: signed comparison                |
|                      |                  |          |                          |                   | vulnerability in the                    |
|                      |                  |          |                          |                   | ARMv7 memcpy function                   |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-27645   |          |                          |                   | glibc: Use-after-free in                |
|                      |                  |          |                          |                   | addgetnetgrentX function                |
|                      |                  |          |                          |                   | in netgroupcache.c                      |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-27645   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-3326    |          |                          |                   | glibc: Assertion failure in             |
|                      |                  |          |                          |                   | ISO-2022-JP-3 gconv module              |
|                      |                  |          |                          |                   | related to combining characters         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3326    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-33574   |          |                          |                   | glibc: mq_notify does                   |
|                      |                  |          |                          |                   | not handle separately                   |
|                      |                  |          |                          |                   | allocated thread attributes             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-33574   |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libcairo2            | CVE-2017-7475    |          | 1.16.0-4ubuntu1          |                   | cairo: NULL pointer dereference         |
|                      |                  |          |                          |                   | with a crafted font file                |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2017-7475    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2017-9814    |          |                          |                   | cairo: Out-of-bounds read               |
|                      |                  |          |                          |                   | due to mishandling of                   |
|                      |                  |          |                          |                   | unexpected malloc(0) call               |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2017-9814    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2018-18064   |          |                          |                   | cairo: Stack-based buffer               |
|                      |                  |          |                          |                   | overflow via parsing of                 |
|                      |                  |          |                          |                   | crafted WebKitGTK+ document             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-18064   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2019-6461    |          |                          |                   | cairo: assertion problem                |
|                      |                  |          |                          |                   | in _cairo_arc_in_direction              |
|                      |                  |          |                          |                   | in cairo-arc.c                          |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-6461    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2019-6462    |          |                          |                   | cairo: infinite loop in the             |
|                      |                  |          |                          |                   | function _arc_error_normalized          |
|                      |                  |          |                          |                   | in the file cairo-arc.c                 |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-6462    |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libfl2               | CVE-2019-6293    |          | 2.6.4-6.2                |                   | flex: Recursive calls in the            |
|                      |                  |          |                          |                   | function mark_beginning_as_normal       |
|                      |                  |          |                          |                   | resulting in a denial of...             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-6293    |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libgmp10             | CVE-2021-43618   |          | 2:6.2.0+dfsg-4           |                   | gmp: Integer overflow and resultant     |
|                      |                  |          |                          |                   | buffer overflow via crafted input       |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-43618   |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libgssapi-krb5-2     | CVE-2021-36222   | MEDIUM   | 1.17-6ubuntu4.1          |                   | krb5: Sending a request containing      |
|                      |                  |          |                          |                   | PA-ENCRYPTED-CHALLENGE padata           |
|                      |                  |          |                          |                   | element without using FAST could...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-36222   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2018-5709    | LOW      |                          |                   | krb5: integer overflow                  |
|                      |                  |          |                          |                   | in dbentry->n_key_data                  |
|                      |                  |          |                          |                   | in kadmin/dbutil/dump.c                 |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-5709    |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libgssapi3-heimdal   | CVE-2021-3671    |          | 7.7.0+dfsg-1ubuntu1      |                   | samba: Null pointer dereference         |
|                      |                  |          |                          |                   | on missing sname in TGS-REQ             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3671    |
+----------------------+                  +          +                          +-------------------+                                         +
| libhcrypto4-heimdal  |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
+----------------------+                  +          +                          +-------------------+                                         +
| libheimbase1-heimdal |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
+----------------------+                  +          +                          +-------------------+                                         +
| libheimntlm0-heimdal |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
+----------------------+                  +          +                          +-------------------+                                         +
| libhx509-5-heimdal   |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libk5crypto3         | CVE-2021-36222   | MEDIUM   | 1.17-6ubuntu4.1          |                   | krb5: Sending a request containing      |
|                      |                  |          |                          |                   | PA-ENCRYPTED-CHALLENGE padata           |
|                      |                  |          |                          |                   | element without using FAST could...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-36222   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2018-5709    | LOW      |                          |                   | krb5: integer overflow                  |
|                      |                  |          |                          |                   | in dbentry->n_key_data                  |
|                      |                  |          |                          |                   | in kadmin/dbutil/dump.c                 |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-5709    |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libkrb5-26-heimdal   | CVE-2021-3671    |          | 7.7.0+dfsg-1ubuntu1      |                   | samba: Null pointer dereference         |
|                      |                  |          |                          |                   | on missing sname in TGS-REQ             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3671    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libkrb5-3            | CVE-2021-36222   | MEDIUM   | 1.17-6ubuntu4.1          |                   | krb5: Sending a request containing      |
|                      |                  |          |                          |                   | PA-ENCRYPTED-CHALLENGE padata           |
|                      |                  |          |                          |                   | element without using FAST could...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-36222   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2018-5709    | LOW      |                          |                   | krb5: integer overflow                  |
|                      |                  |          |                          |                   | in dbentry->n_key_data                  |
|                      |                  |          |                          |                   | in kadmin/dbutil/dump.c                 |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-5709    |
+----------------------+------------------+----------+                          +-------------------+-----------------------------------------+
| libkrb5support0      | CVE-2021-36222   | MEDIUM   |                          |                   | krb5: Sending a request containing      |
|                      |                  |          |                          |                   | PA-ENCRYPTED-CHALLENGE padata           |
|                      |                  |          |                          |                   | element without using FAST could...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-36222   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2018-5709    | LOW      |                          |                   | krb5: integer overflow                  |
|                      |                  |          |                          |                   | in dbentry->n_key_data                  |
|                      |                  |          |                          |                   | in kadmin/dbutil/dump.c                 |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-5709    |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libpcre3             | CVE-2017-11164   |          | 2:8.39-12build1          |                   | pcre: OP_KETRMAX feature in the         |
|                      |                  |          |                          |                   | match function in pcre_exec.c           |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2017-11164   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2019-20838   |          |                          |                   | pcre: Buffer over-read in JIT           |
|                      |                  |          |                          |                   | when UTF is disabled and \X or...       |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-20838   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-14155   |          |                          |                   | pcre: Integer overflow when             |
|                      |                  |          |                          |                   | parsing callout numeric arguments       |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-14155   |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| libroken18-heimdal   | CVE-2021-3671    |          | 7.7.0+dfsg-1ubuntu1      |                   | samba: Null pointer dereference         |
|                      |                  |          |                          |                   | on missing sname in TGS-REQ             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3671    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libsqlite3-0         | CVE-2020-9794    | MEDIUM   | 3.31.1-4ubuntu0.2        |                   | An out-of-bounds read was               |
|                      |                  |          |                          |                   | addressed with improved bounds          |
|                      |                  |          |                          |                   | checking. This issue is...              |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-9794    |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2020-9849    | LOW      |                          |                   | An information disclosure issue         |
|                      |                  |          |                          |                   | was addressed with improved             |
|                      |                  |          |                          |                   | state management. This issue...         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-9849    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-9991    |          |                          |                   | This issue was addressed                |
|                      |                  |          |                          |                   | with improved checks.                   |
|                      |                  |          |                          |                   | This issue is fixed in...               |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-9991    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libsystemd0          | CVE-2021-3997    | MEDIUM   | 245.4-4ubuntu3.13        | 245.4-4ubuntu3.15 | systemd: Uncontrolled recursion in      |
|                      |                  |          |                          |                   | systemd-tmpfiles when removing files    |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3997    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libtasn1-6           | CVE-2018-1000654 | LOW      | 4.16.0-2                 |                   | libtasn1: Infinite loop in              |
|                      |                  |          |                          |                   | _asn1_expand_object_id(ptree)           |
|                      |                  |          |                          |                   | leads to memory exhaustion              |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libudev1             | CVE-2021-3997    | MEDIUM   | 245.4-4ubuntu3.13        | 245.4-4ubuntu3.15 | systemd: Uncontrolled recursion in      |
|                      |                  |          |                          |                   | systemd-tmpfiles when removing files    |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3997    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| libwind0-heimdal     | CVE-2021-3671    | LOW      | 7.7.0+dfsg-1ubuntu1      |                   | samba: Null pointer dereference         |
|                      |                  |          |                          |                   | on missing sname in TGS-REQ             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3671    |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| locales              | CVE-2021-35942   | MEDIUM   | 2.31-0ubuntu9.2          |                   | glibc: Arbitrary read in wordexp()      |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-35942   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-38604   |          |                          |                   | glibc: NULL pointer dereference in      |
|                      |                  |          |                          |                   | helper_thread() in mq_notify.c while    |
|                      |                  |          |                          |                   | handling NOTIFY_REMOVED messages...     |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-38604   |
+                      +------------------+----------+                          +-------------------+-----------------------------------------+
|                      | CVE-2016-10228   | LOW      |                          |                   | glibc: iconv program can hang           |
|                      |                  |          |                          |                   | when invoked with the -c option         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2019-25013   |          |                          |                   | glibc: buffer over-read in              |
|                      |                  |          |                          |                   | iconv when processing invalid           |
|                      |                  |          |                          |                   | multi-byte input sequences in...        |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-27618   |          |                          |                   | glibc: iconv when processing            |
|                      |                  |          |                          |                   | invalid multi-byte input                |
|                      |                  |          |                          |                   | sequences fails to advance the...       |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-27618   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-29562   |          |                          |                   | glibc: assertion failure in iconv       |
|                      |                  |          |                          |                   | when converting invalid UCS4            |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2020-6096    |          |                          |                   | glibc: signed comparison                |
|                      |                  |          |                          |                   | vulnerability in the                    |
|                      |                  |          |                          |                   | ARMv7 memcpy function                   |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-27645   |          |                          |                   | glibc: Use-after-free in                |
|                      |                  |          |                          |                   | addgetnetgrentX function                |
|                      |                  |          |                          |                   | in netgroupcache.c                      |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-27645   |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-3326    |          |                          |                   | glibc: Assertion failure in             |
|                      |                  |          |                          |                   | ISO-2022-JP-3 gconv module              |
|                      |                  |          |                          |                   | related to combining characters         |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-3326    |
+                      +------------------+          +                          +-------------------+-----------------------------------------+
|                      | CVE-2021-33574   |          |                          |                   | glibc: mq_notify does                   |
|                      |                  |          |                          |                   | not handle separately                   |
|                      |                  |          |                          |                   | allocated thread attributes             |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2021-33574   |
+----------------------+------------------+          +--------------------------+-------------------+-----------------------------------------+
| login                | CVE-2013-4235    |          | 1:4.8.1-1ubuntu5.20.04.1 |                   | shadow-utils: TOCTOU race               |
|                      |                  |          |                          |                   | conditions by copying and               |
|                      |                  |          |                          |                   | removing directory trees                |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2013-4235    |
+----------------------+                  +          +                          +-------------------+                                         +
| passwd               |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
|                      |                  |          |                          |                   |                                         |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
| perl-base            | CVE-2020-16156   | MEDIUM   | 5.30.0-9ubuntu0.2        |                   | perl-CPAN: Bypass of verification       |
|                      |                  |          |                          |                   | of signatures in CHECKSUMS files        |
|                      |                  |          |                          |                   | -->avd.aquasec.com/nvd/cve-2020-16156   |
+----------------------+------------------+----------+--------------------------+-------------------+-----------------------------------------+
github-actions[bot] commented 2 years ago

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

thelamer commented 2 years ago

We are one of the rare orgs that actually does keep our base images up to date. Read more about it here: https://github.com/linuxserver/pipeline-triggers https://github.com/linuxserver/docker-jenkins-builder We run package checks every week on top of ingesting upstream versions.

thespad commented 2 years ago

As you can see from your own scan output (if you actually read it) only one of the listed CVEs is actually currently patchable in 20.04, the patch for it was only released 6 days ago, it's a vulnerability in systemd which isn't used in the container, and can only be exploited locally in any case.

Dumping unfiltered, unverified, vulnerability scanner output into a Github issue isn't useful to anyone.

dillbyrne commented 2 years ago

Hi, I did actually read the output and decided to leave full report in case there may have been mitigations possible while waiting on a fix from upstream.

I was not aware of the existing integrations nor the fact systemd was not used in the base image so that is on me. I regret having wasted your time and I appreciate the effort but the issue was made in good faith. Take care