Critical vulnerability in ploigos-base image

ploigos / ploigos-containers

Container image definitions for the Ploigos project.

GNU General Public License v3.0

7 stars 14 forks source link

Critical vulnerability in ploigos-base image #113

Open dlystra opened 1 year ago

dlystra commented 1 year ago

CVE: pyup.io-52322 (CVE-2022-24439) Severity: Critical Package: gitpython Version: 3.1.18 Layer:

RUN |7 PLOIGOS_USER_NAME=ploigos PLOIGOS_USER_UID=1001 PLOIGOS_USER_GID=0 PLOIGOS_HOME_DIR=/home/ploigos PLOIGOS_SOURCE=ploigos-step-runner==1.0.0 YQ_VERSION=3.4.1 SOPS_RPM=https://github.com/mozilla/sops/releases/download/v3.6.1/sops-3.6.1-1.x86_64.rpm /bin/sh -c python -m pip install --no-cache-dir --upgrade ${PLOIGOS_SOURCE} # buildkit

itewk commented 1 year ago

@dlystra which version of the image is this an issue in? have you checked the nightly builds to see if they have the issue? if the issue is fixed in the nightly builds, then we can just tag head of main and new released versions will publish. if not fixed in the nightly builds then need to fix the issue, then tag head of main.

dlystra commented 1 year ago

I think it's on all of them. https://quay.io/repository/ploigos/ploigos-base?tab=tags