justincarter
commented
4 years ago Which version/tag of the Lucee Docker images are you looking for a rebuild of?
Sometimes rebuilding an image isn't appropriate if some underlying versions have changed that could affect compatibility, particularly when the base image changes OS (Debian) versions. If we rebuilt using the same exact tag then people who are using the Lucee images with that tag could find their application breaks next time they go to build.
I am happy to do a rebuild for recent versions where compatibility isn't an issue though.
Do you know if any of the CVE's listed are fixable via using a newer Tomcat
base image specifically, or would an apt-get update fix the issues as
well? It's usually a good idea to update packages in your own Dockerfile
for those reasons, but if there's a base image issue then I'm happy to help
however I can.
On Wed, 15 Jul 2020 at 02:26, Jamie Jackson notifications@github.com wrote:
I think the SOP is to do periodic matrix rebuilds to pick up patches from base images.
Latest:
[image: image] https://user-images.githubusercontent.com/479475/87449435-35cece00-c5cb-11ea-88d3-1485f0e29e91.png Name Package Severity Description CVE-2020-10878 perl:5.28.1-6 HIGH Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. CVE-2020-8492 python2.7:2.7.16-2+deb10u1 HIGH Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-12886 gcc-8:8.3.0-6 MEDIUM stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. CVE-2020-1751 glibc:2.28-10 MEDIUM An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. CVE-2019-20367 libbsd:0.9.1-2 MEDIUM nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). CVE-2019-12290 libidn2:2.0.5-1+deb10u1 MEDIUM GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. CVE-2019-13115 libssh2:1.8.0-2.1 MEDIUM In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. CVE-2019-20454 pcre2:10.32-5 MEDIUM An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. CVE-2020-14155 pcre3:2:8.39-12 MEDIUM libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. CVE-2020-12723 perl:5.28.1-6 MEDIUM regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. CVE-2020-10543 perl:5.28.1-6 MEDIUM Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. CVE-2020-11655 sqlite3:3.27.2-3 MEDIUM SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. CVE-2019-16168 sqlite3:3.27.2-3 MEDIUM In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." CVE-2019-19603 sqlite3:3.27.2-3 MEDIUM SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. CVE-2019-20218 sqlite3:3.27.2-3 MEDIUM selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lucee/lucee-dockerfiles/issues/64, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACVQDLJXYT77MY7W4NHKNDR3SBMNANCNFSM4OZV4C4A .
jamiejackson
I think the SOP is to do periodic matrix rebuilds to pick up patches from base images.
Latest: