Security vulnerabilities in sqitch/sqitch:1.0.0

shawnzhu commented 4 years ago

Since it starts to use debian:buster in sqitch/sqitch:1.0.0, I've got feedback about security vulnerabilities out of the latest container image:

Problems

DSA-4539-3:

For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u2.
CVE-2019-5094

buster (security) 1.44.5-1+deb10u2 fixed

Actual result

> docker run -it --rm --entrypoint /bin/bash sqitch/sqitch:1.0.0
sqitch@4b5efd6753a6:/repo$ dpkg -l | egrep '(e2fsprogs|openssl)'
ii  e2fsprogs                   1.44.5-1+deb10u1       amd64        ext2/ext3/ext4 file system utilities
ii  libgnutls-openssl27:amd64   3.6.7-4                amd64        GNU TLS library - OpenSSL wrapper
ii  openssl                     1.1.1d-0+deb10u1       amd64        Secure Sockets Layer toolkit - cryptographic utility

So I can not use sqitch/sqitch:1.0.0 until :point_up: fixes are included.

Expectation

Just rebuild container image sqitch/sqitch:1.0.0 especially it was built over one month ago.

theory commented 4 years ago

I triggered a new build and v1.0.0 has been updated. That do the trick?

shawnzhu commented 4 years ago

Yes!

> docker run -it --rm --entrypoint /bin/bash sqitch/sqitch:latest -c 'dpkg -l | egrep \'(e2fsprogs|openssl)\''
ii  e2fsprogs                   1.44.5-1+deb10u2       amd64        ext2/ext3/ext4 file system utilities
ii  libgnutls-openssl27:amd64   3.6.7-4                amd64        GNU TLS library - OpenSSL wrapper
ii  openssl                     1.1.1d-0+deb10u2       amd64        Secure Sockets Layer toolkit - cryptographic utility

@theory Thank you!

sqitchers / docker-sqitch

Security vulnerabilities in sqitch/sqitch:1.0.0 #19

Problems

Actual result

Expectation