search

thecodingmachine / docker-images-php

A set of PHP Docker images
MIT License
768 stars 137 forks source link

Vulnerabilities found #342

Open agarzon opened 1 year ago

agarzon commented 1 year ago

Hi,

I've never used this image before, I just discovered today.

But I'm here just to report some critical vulnerabilities has been found in the image, according the official docker scanner.

image

Particularly https://dso.docker.com/cve/CVE-2022-23806 is the highest one which comes with the package stdlib 1.14.2 and the kernel ubuntu/linux 5.4.0-131.147 with https://dso.docker.com/cve/CVE-2022-3649

The image explored was thecodingmachine/php:8.1-v4-apache but this might also affect all the images.

mistraloz commented 1 year ago

Thx for your reporting @agarzon. It's seem related to base image (ubuntu:20.04 is oudated). An upgrade to 22.04 can help to reduce vulnerabilities (at least majors). I will take a look (not i'm busy currently, if anyone can, it's maybe helpful). We just need to change the base image (and see if test pass or not...).

We may manage beter that for the next major release of theses images (it's will be based on php version so it's will be easier to manage each vulnerability).

agarzon commented 1 year ago

Thx for your reporting @agarzon. It's seem related to base image (ubuntu:20.04 is oudated). An upgrade to 22.04 can help to reduce vulnerabilities (at least majors). I will take a look (not i'm busy currently, if anyone can, it's maybe helpful). We just need to change the base image (and see if test pass or not...).

We may manage beter that for the next major release of theses images (it's will be based on php version so it's will be easier to manage each vulnerability).

I was making the modifications to 22.04, but the README, mentions a script called build-and-test.sh that doesnt exists 😒

mistraloz commented 1 year ago

Instead you can run make test-8.1 (or push in new PR, CI will build and test for us).