docker-library icon indicating copy to clipboard operation
docker-library copied to clipboard

Published 20 hours ago verified publisher icon CenterForOpenScience

pgbouncer: built docker image is vulnerable and uses EOL base image

Open danielhoherd opened this issue 4 years ago • 0 comments

https://github.com/CenterForOpenScience/docker-library/blob/eabb0d50e3d347396a0aa8f0e7723c52e046630c/pgbouncer/Dockerfile#L1

The image built by this Dockerfile is 3 years old and and has a high-level vulnerability that has been patched in a newer version. For its base image, it uses a version of Alpine that reached end-of-support over a year ago.

$ date
Mon Dec 14 17:06:32 PST 2020
$ docker run --rm -ti quay.io/centerforopenscience/pgbouncer:1.8.1 sh
Unable to find image 'quay.io/centerforopenscience/pgbouncer:1.8.1' locally
1.8.1: Pulling from centerforopenscience/pgbouncer
2fdfe1cd78c2: Pull complete
c793e0056529: Pull complete
6bae82978a32: Pull complete
Digest: sha256:fa5c09bf5c39539492f8db53ff66eeb6354a6e41eea101baecbadf88897c76b3
Status: Downloaded newer image for quay.io/centerforopenscience/pgbouncer:1.8.1
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.7.0
PRETTY_NAME="Alpine Linux v3.7"
HOME_URL="http://alpinelinux.org"
BUG_REPORT_URL="http://bugs.alpinelinux.org"

It's old enough that security scanners are just saying 🤷‍♂️ or "The vulnerability detection may be insufficient because security updates are not provided".

danielhoherd avatar Dec 15 '20 01:12 danielhoherd