Closed korrelate-vc closed 4 months ago
But I presume you not running sshd (which is how the exploit was aiming to do damage) in that container? If I do an apt update -qqq; apt install -y procps
then ps -aux
shows nothing is running as docker is, after all, by default a single process:
root@a90632d4c6ba:/# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 7216 3840 pts/0 Ss 17:39 0:00 bash
root 236 0.0 0.0 10740 4224 pts/0 R+ 17:41 0:00 ps -aux
root@a90632d4c6ba:/#
(The hostname
is AFAIK entirely random so no need to obfuscate / hide in the screenshot. Also textual quotes work great here thanks to markdown and code formatting....)
Thanks for the tips, I don't comment on issues often so I appreciate the feedback. Yes, I am not running sshd (and therefore it's not a risk). I was just checking through my containers with different base images and this was the only one with the vulnerability. Seems like you are aware of the issue, thanks for taking the time to respond :).
All my best, Kevin
Yes, I'd be happy to rebuild but I just want to clarify that it is a bit of a non-issue. Also rocker/r-base famously becomes r-base
(ie a core Docker container) and we treat those as immutable.
Maybe with R 4.3.3 coming to end of life a rebuild is fine, on other other hand we are having a bit trouble right now with testing
because of the 64 bit time_t
transition which may pull more in than we like from unstable
. Come to think about it that was the case already for the 4.3.3 build so maybe I just rebuild.
Typing from a happy Ubuntu workstation with an updated xz
etc (as I am surely running sshd
here...) ...
I just rebuilt (and pushed) them (for tags 4.3.3 and latest).
It moves packages xz,liblzma{5,-dev}
package from 5.6.0-0.2 to 5.6.1+really5.4.5-1. It should not matter for the container providing R, but it does not hurt and we all sleep better that way.
Hi,
I am using the latest version of the r-base docker image (FROM rocker/r-base:latest). I'm not sure if you're aware of the exploit in debian version of xz v5.6.0/v5.6.1 (liblzma). I noticed that the latest version I pulled contained the afflicted library:
The recommendations I have read are to update the library or revert to a stable version. For my OS (ubuntu) I have v5.2.1 which is not compromised.
Sincerely, Kevin