amazon-ecs-ami icon indicating copy to clipboard operation
amazon-ecs-ami copied to clipboard
verified publisher icon aws

Docker version vulnerable to cve-2023-29406

Open swehner opened this issue 1 year ago • 4 comments

Summary

The current docker version 20.10.15 is vulnerable to a few issues, like: https://nvd.nist.gov/vuln/detail/cve-2023-29406 https://nvd.nist.gov/vuln/detail/cve-2023-39325

And same for containerd: 1.7.2 is also affected by a few issues https://nvd.nist.gov/vuln/detail/cve-2023-47108

Is there any plan on updating docker and containerd versions for this image?

swehner avatar Mar 20 '24 11:03 swehner

This was addressed in #231.

majd avatar Apr 09 '24 09:04 majd

Thanks for the ticket, we have bumped to docker 25.0.3 for AL2023

Also keep in mind that the docker versions in NIST CVE notices don't always 100% map to the docker version in Amazon Linux. If you look at CVE 2023-39325 in ALAS, for example, and then click through to the Amazon Linux 2 advisories, you can see that this CVE is fixed in 20.10.15 in Amazon Linux: https://alas.aws.amazon.com/cve/html/CVE-2023-39325.html

As soon as Amazon Linux 2 releases docker 25.0.3 we will be bumping our AL2 AMIs.

sparrc avatar Apr 19 '24 22:04 sparrc

As soon as Amazon Linux 2 releases docker 25.0.3 we will be bumping our AL2 AMIs.

I think Docker 25.0.3 is now in the AL2 repos, could we get an AMI bump? 🙏

Screenshot 2024-07-08 at 4 19 06 PM Screenshot 2024-07-08 at 4 19 49 PM

charlesbjohnson avatar Jul 08 '24 21:07 charlesbjohnson

I think Docker 25.0.3 is now in the AL2 repos, could we get an AMI bump? 🙏

Thank you for the quick response! https://github.com/aws/amazon-ecs-ami/pull/269

I think this issue can be closed.

charlesbjohnson avatar Jul 15 '24 15:07 charlesbjohnson