Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There are two new CVEs in open-ssh used by at least shared-tag 3.9. #896

Open
mmynsted opened this issue Dec 27, 2023 · 6 comments
Open

There are two new CVEs in open-ssh used by at least shared-tag 3.9. #896

mmynsted opened this issue Dec 27, 2023 · 6 comments

Comments

@mmynsted
Copy link

https://github.com/docker-library/python/blob/2d31ccc9f8487908ded7944a54b8e923eff9ad1f/3.9/bookworm/Dockerfile

CVE-2023-28531

CVE-2023-51385

These two cve's have been found in the python:3.9 container. Both are critical. Remediation requires openssh 9.6 or better. The manifest shows 8.4 being in use.
@wimaac
Copy link

wimaac commented Dec 28, 2023
edited

Seeing the same issue. Looks like it's the underlying debian version being used?

@mmynsted
Copy link
Author

mmynsted commented Dec 29, 2023
edited

@wimaac, I expect that is true. Both appear to have resolutions.
https://security-tracker.debian.org/tracker/source-package/openssh

Perhaps the fix for the Python image is to update to use a resource in fixed status?

@LaurentGoderre
Copy link
Member

This is going to be fixed when buildpack-deps ios updated.

@mmynsted
Copy link
Author

mmynsted commented Jan 4, 2024

Is that on a schedule, or when does that happen?

@yosifkit
Copy link
Member

yosifkit commented Jan 4, 2024

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

So, there will likely be a debian rebuild in the coming week or two which would then cause a rebuild of all Official Images from it (like buildpack-deps and python).

@wimaac
Copy link

wimaac commented Jan 5, 2024

Thanks for the updates!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yosifkit @LaurentGoderre @mmynsted @wimaac