Open dnltech2020 opened 2 weeks ago
Mod-action: Deleted an scam-attempt unrelated to this issue above. Reported user as malicious to github. Community-discussion on this: https://github.com/community/maintainers/discussions/442)
@dnltech2020 What scanner are you using and could you attach the results?
Also what do you mean by image bump?
Attached is the list of current vulnerabilities, and if you can rebuild the image, and pull the latest packages, maybe it will fix some of the vulnerabilities.
Only packages with a fixed version field, could be resolved.
scan done with Trivy Security scanner
the report attached does not properly parse
Could you please attach the content as markdown instead?
Also please go over the report yourself first. From my glance, there is just a ton of garbage in there, without true positives. Noise != vulnerabilities.
Without a reason, we won't do a release, that is just buisy-work to achive some metrics.. Maintainer time (=my time) is something that I only have a limited amount of.
there are 3 Critical pacakges that should be resolved ASAP
libdb5.3 | CVE-2019-8457 │ CRITICAL │ sqlite: heap out-of-bound read in function rtreenode()
python3-cryptography │ CVE-2020-36242 │ CRITICAL │ python-cryptography: Large inputs for symmetric encryption │ can trigger integer overflow
zlib1g │ CVE-2023-45853 │ CRITICAL │ zlib: integer overflow and resultant heap-based buffer │ overflow in zipOpenNewFileInZip4_6
As said, those just seem like non-exploitable noise. => don't warrant a patch release.
They will be updated in the next regular release, when we have a reason for one.
rtreenode
(we don't have spacial data => no rtree => not exploitable. If attackers have access to sqlite, you are already kind of screwed)python3-cryptography
, that is just part of the base imagezipOpenNewFileInZip4_6
, that is just part of the base image
⚠️ Please verify that this question has NOT been raised before.
🛡️ Security Policy
📝 Describe your problem
when scanning the latest image version 1.23.13 - there are 54 security vulneabilitys. can this deployment be bumped to resolve the security vulnerabilitys?
📝 Error Message(s) or Log
No response
🐻 Uptime-Kuma Version
1.23.13
💻 Operating System and Arch
debian
🌐 Browser
chrome
🖥️ Deployment Environment