search

root-gg / plik

Plik is a temporary file upload system (Wetransfer like) in Go.
https://plik.root.gg
Other
1.42k stars 167 forks source link

trivy security alert #473

Closed oupala closed 1 year ago

oupala commented 1 year ago

Trivy audit is reporting some security alerts:

Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 8, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450  │ HIGH     │ 1.1.1n-r0         │ 1.1.1t-r0     │ openssl: double free after calling PEM_read_bio_ex          │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                   │
│              ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │                   │               │ openssl: use-after-free following BIO_new_NDEF              │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                   │
│              ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │                   │               │ openssl: X.400 address type confusion in X.509 GeneralName  │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                   │
│              ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │                   │ 1.1.1t-r2     │ openssl: Denial of service by excessive resource usage in   │
│              │                │          │                   │               │ verifying X509 policy...                                    │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│              ├────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-2097  │ MEDIUM   │                   │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
│              ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │          │                   │ 1.1.1t-r0     │ openssl: timing attack in RSA Decryption implementation     │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                   │
│              ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │                   │ 1.1.1t-r3     │ openssl: Invalid certificate policies in leaf certificates  │
│              │                │          │                   │               │ are silently ignored                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
├──────────────┼────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2022-4450  │ HIGH     │                   │ 1.1.1t-r0     │ openssl: double free after calling PEM_read_bio_ex          │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                   │
│              ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │                   │               │ openssl: use-after-free following BIO_new_NDEF              │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                   │
│              ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │                   │               │ openssl: X.400 address type confusion in X.509 GeneralName  │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                   │
│              ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │                   │ 1.1.1t-r2     │ openssl: Denial of service by excessive resource usage in   │
│              │                │          │                   │               │ verifying X509 policy...                                    │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│              ├────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-2097  │ MEDIUM   │                   │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
│              ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │          │                   │ 1.1.1t-r0     │ openssl: timing attack in RSA Decryption implementation     │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                   │
│              ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │                   │ 1.1.1t-r3     │ openssl: Invalid certificate policies in leaf certificates  │
│              │                │          │                   │               │ are silently ignored                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r0         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
│              │                │          │                   │               │ in inflate.c via a...                                       │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

You should probably update your base image from alpine:3.15 to alpine:3.17.

camathieu commented 1 year ago

Done

oupala commented 1 year ago

As the commit has been merged to master, do you plan to publish a new release of the Docker image un Docker Hub?

In Docker Hub, the dev tag is 5 days old, but the lastest and 1.3.6 tags are a year old. I think that there should be a new 1.3.7 tag, or a 1.4 tag, or a 2 tag...

camathieu commented 1 year ago

Next version will be 1.3.7 in the mean time dev is built on master head.

On Mon, Apr 24, 2023 at 12:38 PM oupala @.***> wrote:

As the commit has been merged to master, do you plan to publish a new release of the Docker image un Docker Hub?

In Docker Hub, the dev tag is 5 days old, but the lastest and 1.3.6 tags are a year old. I think that there should be a new 1.3.7 tag, or a 1.4 tag, or a 2 tag...

— Reply to this email directly, view it on GitHub https://github.com/root-gg/plik/issues/473#issuecomment-1519879869, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQ5XPSXC3IDK65RP6PX2ATXCZJZ3ANCNFSM6AAAAAAW3PGOGU . You are receiving this because you modified the open/close state.Message ID: @.***>