search

rocker-org / rocker

R configurations for Docker
https://rocker-project.org
GNU General Public License v2.0
1.45k stars 273 forks source link

update 'latest' version to 4.4.0 RDS security flaw #551

Closed tschuette22 closed 3 months ago

tschuette22 commented 3 months ago

Hi,

First, thank you for this awesome project. I believe it would be a good idea to bump the 'latest' version to 4.4.0 to avoid the security vulnerability in RDS data serialization. See: https://www.cve.org/CVERecord?id=CVE-2024-27322

eddelbuettel commented 3 months ago

We do that when new version come out:

edd@rob:~$ docker run --rm -ti rocker/r-base:latest Rscript --version
Rscript (R) version 4.4.0 (2024-04-24)
edd@rob:~$

However some containers are on purpose 'frozen' to a version, and that too is on purpose. Also, with all due respect, this CVE is a non-issue, wrong and should be withdrawn (but nobody has the energy to pursue this).

The R Foundation issued a blog post but somehow I cannot access it right now via https://blog.r-project.org/. I notified my colleagues and I hope the post reappears.

tschuette22 commented 3 months ago

Thank you for the quick response. I was notified by my organisation to verify we're using at least 4.4.0 on all systems because of the issue and was suprised that the Dockerfile of 'latest' as linked on Dockerhub didn't point at 4.4.0. I missed that it is being set as ENV variable when pulling. So sorry for the confusion, this can be closed. I will look into the blog post once it's back up.