Closed pacifier17 closed 4 years ago
Hi,
Thank you for the notification. One question, since this is a kernel issue, doesn't it mean that it's only a host issue?
Yeah, but I think you can pretty much exec into the pod the same way you do that into a host. Either way, an automatic image scanning tool (like Clair) was reporting this vulnerability and asking to update the image to the newer version of Debian.
Yeah, but I think you can pretty much exec into the pod the same way you do that into a host.
it doesn't matter, the kernel being run is the host's, not ours. The scanning tool is probably just checking the installed package list and doesn't care if it's actually used.
Closing as there nothing actionable here. The kernel isn't used, and even if it was, the Dockerfile
doesn't need to change as a fix just requires a rebuilding of the image, which is done regularly by https://github.com/docker-library/official-images
Yep, you are correct but looks like the images are not being rebuilt regularly? I see it was last updated 2 months ago https://hub.docker.com/_/varnish?tab=tags
I can see that the buster-slim image that you are using was updated 8 days ago: https://hub.docker.com/_/debian?tab=tags&page=1&name=buster-slim
Should I create an issue here instead to have them rebuild the Varnish image: https://github.com/docker-library/official-images/issues ?
I'd read https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves which states that they rebuild them regularly.
You can also check https://github.com/docker-library/php/issues/1036#issuecomment-663107610 for a collection of issues opened with no actionable items.
What you can ask though is "is buster-slim
considered an official image? If so, they should have rebuilt it, if not, then we should switch over to benefit from those updates. But that's a general question and not something impactful regarding this ticket
@gquintard, I raised the issue and seems like the build is failing as there is an issue with fetching gpg keys: https://github.com/docker-library/official-images/issues/8537
Please let me know if you want me to raise a separate issue for tracking purposes.
Hi, Looks like there is a security vulnerability in the Debian buster image that Varnish 6.4.0 image is using: https://security-tracker.debian.org/tracker/CVE-2020-10757
It seems to be fixed by the latest version of buster. Would you please be able to update the Debian version of the Varnish image too and reupload?