Vulnerabilities found

[agarzon]

Hi,

I've never used this image before, I just discovered today.

But I'm here just to report some critical vulnerabilities has been found in the image, according the official docker scanner.

Particularly https://dso.docker.com/cve/CVE-2022-23806 is the highest one which comes with the package stdlib 1.14.2 and the kernel ubuntu/linux 5.4.0-131.147 with https://dso.docker.com/cve/CVE-2022-3649

The image explored was thecodingmachine/php:8.1-v4-apache but this might also affect all the images.

[mistraloz]

Thx for your reporting @agarzon. It's seem related to base image (ubuntu:20.04 is oudated). An upgrade to 22.04 can help to reduce vulnerabilities (at least majors). I will take a look (not i'm busy currently, if anyone can, it's maybe helpful). We just need to change the base image (and see if test pass or not...).

We may manage beter that for the next major release of theses images (it's will be based on php version so it's will be easier to manage each vulnerability).

[agarzon]

Thx for your reporting @agarzon. It's seem related to base image (ubuntu:20.04 is oudated). An upgrade to 22.04 can help to reduce vulnerabilities (at least majors). I will take a look (not i'm busy currently, if anyone can, it's maybe helpful). We just need to change the base image (and see if test pass or not...).

We may manage beter that for the next major release of theses images (it's will be based on php version so it's will be easier to manage each vulnerability).

I was making the modifications to 22.04, but the README, mentions a script called build-and-test.sh that doesnt exists 😒

[mistraloz]

Instead you can run make test-8.1 (or push in new PR, CI will build and test for us).