vulnerabiltitys - image bump to resolve security vulnerabilitys

[dnltech2020]

⚠️ Please verify that this question has NOT been raised before.

• [X] I checked and didn't find similar issue

🛡️ Security Policy

• [X] I agree to have read this project Security Policy

📝 Describe your problem

when scanning the latest image version 1.23.13 - there are 54 security vulneabilitys. can this deployment be bumped to resolve the security vulnerabilitys?

📝 Error Message(s) or Log

No response

🐻 Uptime-Kuma Version

1.23.13

💻 Operating System and Arch

debian

🌐 Browser

chrome

🖥️ Deployment Environment

• Runtime:
• Database:
• Filesystem used to store the database on:
• number of monitors:

[CommanderStorm]

Mod-action: Deleted an scam-attempt unrelated to this issue above. Reported user as malicious to github. Community-discussion on this: https://github.com/community/maintainers/discussions/442)

[CommanderStorm]

@dnltech2020 What scanner are you using and could you attach the results?

Also what do you mean by image bump?

[dnltech2020]

Attached is the list of current vulnerabilities, and if you can rebuild the image, and pull the latest packages, maybe it will fix some of the vulnerabilities.

Only packages with a fixed version field, could be resolved.

scan done with Trivy Security scanner

Vaulnaribility-list.zip

[CommanderStorm]

the report attached does not properly parse

Could you please attach the content as markdown instead?

[CommanderStorm]

Also please go over the report yourself first. From my glance, there is just a ton of garbage in there, without true positives. Noise != vulnerabilities.

Without a reason, we won't do a release, that is just buisy-work to achive some metrics.. Maintainer time (=my time) is something that I only have a limited amount of.

[dnltech2020]

there are 3 Critical pacakges that should be resolved ASAP

libdb5.3 | CVE-2019-8457 │ CRITICAL │ sqlite: heap out-of-bound read in function rtreenode()

python3-cryptography │ CVE-2020-36242 │ CRITICAL │ python-cryptography: Large inputs for symmetric encryption │ can trigger integer overflow

zlib1g │ CVE-2023-45853 │ CRITICAL │ zlib: integer overflow and resultant heap-based buffer │ overflow in zipOpenNewFileInZip4_6

[CommanderStorm]

As said, those just seem like non-exploitable noise. => don't warrant a patch release.

They will be updated in the next regular release, when we have a reason for one.

• I don't think we use rtreenode (we don't have spacial data => no rtree => not exploitable. If attackers have access to sqlite, you are already kind of screwed)
• we don't use python3-cryptography, that is just part of the base image
• we don't use zipOpenNewFileInZip4_6, that is just part of the base image