search

redis / docker-library-redis

Docker Official Image packaging for Redis
http://redis.io
BSD 3-Clause "New" or "Revised" License
1.11k stars 560 forks source link

5.0.6-alpine CVE-2018-1000500 (Improper Handling of Exceptional Conditions) #362

Closed esn89 closed 1 year ago

esn89 commented 1 year ago

There is a high vulnerability discovered here: https://snyk.io/test/docker/redis%3A5.0.6-alpine#SNYK-ALPINE310-BUSYBOX-1090151

can this be patched for those who are using this image?

yosifkit commented 1 year ago
  1. 5.0.x is end of life; it is not being updated anymore: https://github.com/docker-library/redis/pull/333
  2. if you really need 5.0.x then it should probably at least be the latest version of it, 5.0.14.
  3. 5.0.6-alpine is based on Alpine 3.10 and is over 4 years old, but it already has the fixed version for CVE-2018-1000500 (https://gitlab.alpinelinux.org/alpine/aports/-/blob/3.10-stable/main/busybox/APKBUILD#L61): 
    
$ docker run -it --rm redis:5.0.6-alpine sh
Unable to find image 'redis:5.0.6-alpine' locally
5.0.6-alpine: Pulling from library/redis
89d9c30c1d48: Pull complete
b2eb22a0b7db: Pull complete
c5ccbdf10203: Pull complete
29dc5d38440e: Pull complete
a9bfccb1acb4: Pull complete
ae61c5711cf8: Pull complete
Digest: sha256:27e139dd0476133961d36e5abdbbb9edf9f596f80cc2f9c2e8f37b20b91d610d
Status: Downloaded newer image for redis:5.0.6-alpine
/data # apk info busybox
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.d8b2a6f4.tar.gz: No such file or directory
busybox-1.30.1-r2 description:
Size optimized toolbox of many common UNIX utilities

busybox-1.30.1-r2 webpage: https://busybox.net/

busybox-1.30.1-r2 installed size: 942080

/data #



If there are Alpine package updates available, then an `apk upgrade --no-cache` in your own image would give you the most up-to-date packages.