search

sqitchers / docker-sqitch

Docker Image packaging for Sqitch
MIT License
35 stars 39 forks source link

CVE-2024-37371 with `sqitch/sqitch:v1.4.1.1` #68

Closed skuethe closed 2 weeks ago

skuethe commented 2 weeks ago

Hi there,

similar issue as #66 Could you again create a new release to fix the CVE?

$ trivy image --severity CRITICAL --ignore-unfixed docker.io/sqitch/sqitch:v1.4.1.1
2024-08-28T14:28:46.284+0200    INFO    Need to update DB
2024-08-28T14:28:46.284+0200    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-08-28T14:28:46.284+0200    INFO    Downloading DB...
52.43 MiB / 52.43 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 11.41 MiB p/s 4.8s
2024-08-28T14:28:51.840+0200    INFO    Vulnerability scanning is enabled
2024-08-28T14:28:51.840+0200    INFO    Secret scanning is enabled
2024-08-28T14:28:51.840+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-28T14:28:51.840+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-08-28T14:28:53.729+0200    INFO    Detected OS: debian
2024-08-28T14:28:53.729+0200    INFO    Detecting Debian vulnerabilities...
2024-08-28T14:28:53.756+0200    INFO    Number of language-specific files: 0

docker.io/sqitch/sqitch:v1.4.1.1 (debian 12.6)

Total: 4 (CRITICAL: 4)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                   Title                    │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼────────────────────────────────────────────┤
│ libgssapi-krb5-2 │ CVE-2024-37371 │ CRITICAL │ fixed  │ 1.20.1-2+deb12u1  │ 1.20.1-2+deb12u2 │ krb5: GSS message token handling           │
│                  │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-37371 │
├──────────────────┤                │          │        │                   │                  │                                            │
│ libk5crypto3     │                │          │        │                   │                  │                                            │
│                  │                │          │        │                   │                  │                                            │
├──────────────────┤                │          │        │                   │                  │                                            │
│ libkrb5-3        │                │          │        │                   │                  │                                            │
│                  │                │          │        │                   │                  │                                            │
├──────────────────┤                │          │        │                   │                  │                                            │
│ libkrb5support0  │                │          │        │                   │                  │                                            │
│                  │                │          │        │                   │                  │                                            │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴────────────────────────────────────────────┘

 $ trivy image --severity CRITICAL --ignore-unfixed docker.io/library/debian:bookworm-slim
2024-08-28T14:30:54.811+0200    INFO    Vulnerability scanning is enabled
2024-08-28T14:30:54.811+0200    INFO    Secret scanning is enabled
2024-08-28T14:30:54.811+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-28T14:30:54.811+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-08-28T14:30:57.924+0200    INFO    Detected OS: debian
2024-08-28T14:30:57.924+0200    INFO    Detecting Debian vulnerabilities...
2024-08-28T14:30:57.928+0200    INFO    Number of language-specific files: 0

docker.io/library/debian:bookworm-slim (debian 12.6)

Total: 0 (CRITICAL: 0)

Thanks!

theory commented 2 weeks ago

Damn. Might have to automate a monthly build or something…

skuethe commented 2 weeks ago

Just saw your build - thanks! :)

$ trivy image --severity CRITICAL --ignore-unfixed docker.io/sqitch/sqitch:v1.4.1.2
2024-08-29T16:17:41.943+0200    INFO    Need to update DB
2024-08-29T16:17:41.944+0200    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-08-29T16:17:41.944+0200    INFO    Downloading DB...
52.44 MiB / 52.44 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 12.60 MiB p/s 4.4s
2024-08-29T16:17:46.884+0200    INFO    Vulnerability scanning is enabled
2024-08-29T16:17:46.884+0200    INFO    Secret scanning is enabled
2024-08-29T16:17:46.884+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-29T16:17:46.884+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-08-29T16:17:52.562+0200    INFO    Detected OS: debian
2024-08-29T16:17:52.562+0200    INFO    Detecting Debian vulnerabilities...
2024-08-29T16:17:52.588+0200    INFO    Number of language-specific files: 0

docker.io/sqitch/sqitch:v1.4.1.2 (debian 12.6)

Total: 0 (CRITICAL: 0)