Apache critical vulnerabilities

[felixtech-msp]

The image phpmyadmin:5.2.1-apache contains an old version of the Apache webserver which has several critical vulnerabilities. CVE-2023-25690 and CVE-2023-27522 which have a CVSS score of 9.8 as well as CVE-2006-20001, CVE-2022-36760 and CVE-2022-37436 which are CVSS rated 9.0. Please upgrade the Apache version asap to the latest version, at least 2.4.56 which is the version all those vulnerabilities had been fixed.

[williamdes]

Thank you for nicely reporting this, since we are not responsible about that I would let you open an issue upstream at php

We use an already bundled apache, see: https://github.com/phpmyadmin/docker/blob/0006406e352ddd5addd5122de53fe354307b2460/apache/Dockerfile#L1

[williamdes]

The tracker should be https://github.com/docker-library/php/issues

Here is the source where apache2 is installed, from Debian https://github.com/docker-library/php/blob/3dc959846f1d44d6c3200f657dee762885847a2c/8.1/bullseye/apache/Dockerfile#L56

[williamdes]

Most probably you should look at here for the security fixes for apache2 https://security-tracker.debian.org/tracker/source-package/apache2

[williamdes]

/cc @tianon for feedback on security procedures of docker official

[ibennetch]

It appears as if the "official repository" at https://hub.docker.com/_/phpmyadmin/ gets automatic updates, but the team project at https://hub.docker.com/r/phpmyadmin/ needs to be manually updated.

I'm not at my computer at the moment but will push the update for those when I'm able.

Thanks for the report.

Just this week, they've announced some changes to how the open source project tier works.

[williamdes]

Just this week, they've announced some changes to how the open source project tier works.

And they announced the rollback of this decision 😄 Edit: I am probably mistaken, is it about docker free team?

I'm not at my computer at the moment but will push the update for those when I'm able.

I am not sure it makes sense, unless the php apache2 image is fixed But maybe it's not, that said it's worth checking

Either it's not yet rebuilt or the fix is not there yet

@ibennetch I merged a new PR for a new TZ env, can you PR this to docker official repo? (commit hash update) It will have the benefit to re build the image

When it's rebuilt we can just pull and push it to our repo, maybe it's best like that: to have the same image across registries?

[ibennetch]

And they announced the rollback of this decision

Yes, but it isn't clear which (if any) of the more advanced features they'll be rolling out to us, such as the ability to automatically trigger rebuilds, use the API, or vulnerability monitoring. Those things exist with the official repository but haven't always been a consistent part of our free license.

As a result, currently I must manually push new updates when changes like this occur upstream. Unfortunately, it's not always easy to know when those changes occur.

unless the php apache2 image is fixed

It is running Apache 2.4.56, so based on the information in this ticket it has been fixed there.

I merged a new PR for a new TZ env, can you PR this to docker official repo?

That's now part of our phpmyadin/phpmyadmin repository and I will send the PR to the official one.

[ibennetch]

@felixtech-msp I believe this is fixed in the current Docker images, thank you very much for your report.

[williamdes]

As a result, currently I must manually push new updates when changes like this occur upstream. Unfortunately, it's not always easy to know when those changes occur.

We could add a GitHub cron to pull official images into our registry to keep in sync