search

mailhog / MailHog

Web and API based SMTP testing
MIT License
13.99k stars 1.06k forks source link

Official Docker Hub Image needs to be rebuilt - Security Vulnerabilities #379

Open frostyandy2k opened 3 years ago

frostyandy2k commented 3 years ago

The image uploaded in Docker Hub is 13months old (Oct. 2021) and should be upgraded as there are multiple vulnerabilities in the underlying alpine (3.12 - current 3.14)

mailhog (alpine 3.12.0)
==================================================================================================
Total: 12 (HIGH: 9, CRITICAL: 3)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools    | CVE-2021-36159   | CRITICAL | 2.10.5-r1         | 2.10.7-r0     | libfetch before 2021-07-26, as        |
|              |                  |          |                   |               | used in apk-tools, xbps, and          |
|              |                  |          |                   |               | other products, mishandles...         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-30139   | HIGH     |                   | 2.10.6-r0     | In Alpine Linux apk-tools             |
|              |                  |          |                   |               | before 2.12.5, the tarball            |
|              |                  |          |                   |               | parser allows a buffer...             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-30139 |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| busybox      | CVE-2021-28831   |          | 1.31.1-r16        | 1.31.1-r20    | busybox: invalid free or segmentation |
|              |                  |          |                   |               | fault via malformed gzip data         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711    | CRITICAL | 1.1.1g-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23840   | HIGH     |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3712    |          |                   | 1.1.1l-r0     | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+----------+                   +               +---------------------------------------+
| libssl1.1    | CVE-2021-3711    | CRITICAL |                   |               | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23840   | HIGH     |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3712    |          |                   | 1.1.1l-r0     | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2021-28831   |          | 1.31.1-r16        | 1.31.1-r20    | busybox: invalid free or segmentation |
|              |                  |          |                   |               | fault via malformed gzip data         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
back-2-95 commented 2 years ago

Inspired by #245, we have made this (which we use in daily basis). https://hub.docker.com/repository/docker/druidfi/mailhog

Here is the Dockerfile: https://github.com/druidfi/docker-images/blob/main/misc/mailhog/Dockerfile

jonathantullett commented 2 years ago

@back-2-95 - thanks for building this image. It's sorted my issue with getting mailhog running on rpi 64bit!

ati90ati commented 2 years ago

https://github.com/mailhog/MailHog/issues/410#issuecomment-1224009829 Here is our solution until somebody will make a newer version with OS updates.