Closed dillbyrne closed 2 years ago
We are one of the rare orgs that actually does keep our base images up to date. Read more about it here: https://github.com/linuxserver/pipeline-triggers https://github.com/linuxserver/docker-jenkins-builder We run package checks every week on top of ingesting upstream versions.
As you can see from your own scan output (if you actually read it) only one of the listed CVEs is actually currently patchable in 20.04, the patch for it was only released 6 days ago, it's a vulnerability in systemd which isn't used in the container, and can only be exploited locally in any case.
Dumping unfiltered, unverified, vulnerability scanner output into a Github issue isn't useful to anyone.
Hi, I did actually read the output and decided to leave full report in case there may have been mitigations possible while waiting on a fix from upstream.
I was not aware of the existing integrations nor the fact systemd was not used in the base image so that is on me. I regret having wasted your time and I appreciate the effort but the issue was made in good faith. Take care
Expected Behavior
No known vulnerabilities
Current Behavior
Update the base image that is shared across many LS images,
Steps to Reproduce
Environment
Image version: linuxserver/jellyfin:10.7.7-1-ls146 OS: Debian 11 CPU architecture: x86_64 How docker service was installed: from the official docker repo
Command used to create docker container (compose)
Results of scan