Closed oren-nonamesecurity closed 1 year ago
jennyowen
commented
1 year ago I tend to group releases together if I know a few are coming out at the same time, to reduce noise for our friends in the docker repository. I've requested a new dockerhub release for 4.3.20 and 4.4.13 here: https://github.com/docker-library/official-images/pull/13487
vikingUnet
commented
1 year ago Thanks!
oren-nonamesecurity
commented
1 year ago Hi, Looks like the new tags uploaded yesterday are still discovered as vulnerable to Text4Shell - https://hub.docker.com/_/neo4j/tags
Any idea why? The release notes mentioned update common-text version 1.9 to 1.10 to solve this CVE.
vikingUnet
commented
1 year ago Hello! Yes, it is because it contains apos neo4j plugin, that use commons-text version 1.9, not 1.10. Developers of apos plugin still approving PR for remake import commons-text lib only on neo4j runtime; docker images neo4j must including new version of neo4j-apos 4.0.9, not 4.0.8 (as it is now)
Neo4j 4.3.20 was released 4 days ago: https://neo4j.com/release-notes/database/neo4j-4-3-20/
But docker tag wasn't pushed to DockerHub: https://hub.docker.com/_/neo4j/tags