Remediate Security Vulnerability Findings In 1.23.2

[dpericaxon]

Hello! We ran a twistlock scan and it showed the following CVE's:

libtiff5-

• CVE-2022-1210
• CVE-2022-1622
• CVE-2022-1623
• CVE-2022-2056
• CVE-2022-2057
• CVE-2022-2058
• CVE-2022-34526
• CVE-2022-1355
• CVE-2022-1354
• CVE-2022-3597
• CVE-2022-3627
• CVE-2022-3598
• CVE-2022-3626
• CVE-2022-3599
• CVE-2022-3970
• CVE-2022-3570
• CVE-2022-2869
• CVE-2022-2867
• CVE-2022-2868

libdb5.3-

• CVE-2019-8457

libgd3-

• CVE-2021-38115
• CVE-2021-40812

If possible, we'd like these to be patched/remediated for compliance reasons on our end. Let me know if you need more info!

[thresheek]

Hi @dpericaxon, all of those are not fixed in Debian Bullseye, so not much we can do about it.

[thresheek]

Maybe using an alpine-based image will make it easier for you?

[gburton1]

Good idea, we'll try the Alpine image with the next version upgrade we do.

[thresheek]

FYI, some of libtiff issues are now fixed in Debian Bullseye.

[thresheek]

Everything except https://security-tracker.debian.org/tracker/CVE-2022-1210 is now fixed in Bookworm-based images (nginx:1.25.1 and newer).