varnish / docker-varnish

Official docker image
https://hub.docker.com/_/varnish
82 stars 34 forks source link

Security vulnerability in Varnish 6.4.0 Docker image #18

Closed pacifier17 closed 4 years ago

pacifier17 commented 4 years ago

Hi, Looks like there is a security vulnerability in the Debian buster image that Varnish 6.4.0 image is using: https://security-tracker.debian.org/tracker/CVE-2020-10757

It seems to be fixed by the latest version of buster. Would you please be able to update the Debian version of the Varnish image too and reupload?

gquintard commented 4 years ago

Hi,

Thank you for the notification. One question, since this is a kernel issue, doesn't it mean that it's only a host issue?

pacifier17 commented 4 years ago

Yeah, but I think you can pretty much exec into the pod the same way you do that into a host. Either way, an automatic image scanning tool (like Clair) was reporting this vulnerability and asking to update the image to the newer version of Debian.

gquintard commented 4 years ago

Yeah, but I think you can pretty much exec into the pod the same way you do that into a host.

it doesn't matter, the kernel being run is the host's, not ours. The scanning tool is probably just checking the installed package list and doesn't care if it's actually used.

gquintard commented 4 years ago

Closing as there nothing actionable here. The kernel isn't used, and even if it was, the Dockerfile doesn't need to change as a fix just requires a rebuilding of the image, which is done regularly by https://github.com/docker-library/official-images

pacifier17 commented 4 years ago

Yep, you are correct but looks like the images are not being rebuilt regularly? I see it was last updated 2 months ago https://hub.docker.com/_/varnish?tab=tags

I can see that the buster-slim image that you are using was updated 8 days ago: https://hub.docker.com/_/debian?tab=tags&page=1&name=buster-slim

Should I create an issue here instead to have them rebuild the Varnish image: https://github.com/docker-library/official-images/issues ?

gquintard commented 4 years ago

I'd read https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves which states that they rebuild them regularly.

You can also check https://github.com/docker-library/php/issues/1036#issuecomment-663107610 for a collection of issues opened with no actionable items.

What you can ask though is "is buster-slim considered an official image? If so, they should have rebuilt it, if not, then we should switch over to benefit from those updates. But that's a general question and not something impactful regarding this ticket

pacifier17 commented 4 years ago

@gquintard, I raised the issue and seems like the build is failing as there is an issue with fetching gpg keys: https://github.com/docker-library/official-images/issues/8537

Please let me know if you want me to raise a separate issue for tracking purposes.