Vulnerabilties in glibc Docker containers

[jpmca12]

There are 2 CVEs flagged by our image analysis tool that appear to affect the glibc version in envoy Docker containers

Envoy version: envoy-distroless/v1.29.0 https://hub.docker.com/layers/envoyproxy/envoy-distroless/v1.29.0/images/sha256-3b1f8867772707b4e8c284cbe2a907b2ab44f57d71ad5a10e0c780a5c4444839?context=explore

glibc:2.36-9+deb12u3

CVE-2023-6779 CVE-2023-6780

cc: @phlax

[phlax]

we updated the image on main previously - currently the version is 49edf700 - not sure if that resolves the listed CVEs, but we can backport

[phlax]

distroless has now been updated to ~49edf70~ and backport PRs have been raised for supported branches

(EDIT: that should read 0e777c6)

[jpmca12]

Thanks @phlax!

In both of below base image, glibc version used is 2.36-9+deb12u4 (https://github.com/GoogleContainerTools/distroless/issues/1529)

FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:51ab103bb161fdf8fee4c6311a2d41f484effc409d4f4c58342ab68b2da7ccc2 AS envoy-distroless

FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:0e777c69ba810353b9f3f2033280bbe7d029d81fa55760f6eec817ef595aa19c AS envoy-distroless

Confirmed below vulnerabilities on glibc is already fixed or is not affected,

CVE-2023-4911 https://security-tracker.debian.org/tracker/CVE-2023-4911

CVE-2023-4806 https://security-tracker.debian.org/tracker/CVE-2023-4806

CVE-2023-4527 https://security-tracker.debian.org/tracker/CVE-2023-4527

CVE-2023-0687 https://security-tracker.debian.org/tracker/CVE-2023-0687

CVE-2023-5156 https://security-tracker.debian.org/tracker/CVE-2023-5156

CVE-2023-6779 https://security-tracker.debian.org/tracker/CVE-2023-6779

CVE-2023-6780 https://security-tracker.debian.org/tracker/CVE-2023-6780