bitnami
[bitnami/pgbouncer] CVEs
Name and Version
bitnami/pgbouncer:1.17.0
What is the problem this feature will solve?
The pgbouncer is affected by the following vulnerabilities (mostly related to curl)
https://nvd.nist.gov/vuln/detail/CVE-2021-22945 (critical) https://nvd.nist.gov/vuln/detail/CVE-2022-32207 (critical) https://nvd.nist.gov/vuln/detail/CVE-2022-29162 https://nvd.nist.gov/vuln/detail/CVE-2022-27782 https://nvd.nist.gov/vuln/detail/CVE-2022-27781 https://nvd.nist.gov/vuln/detail/CVE-2021-22946 https://nvd.nist.gov/vuln/detail/CVE-2022-27775 https://nvd.nist.gov/vuln/detail/CVE-2022-27776 https://github.com/advisories/GHSA-f3fp-gc8g-vw66 https://nvd.nist.gov/vuln/detail/CVE-2021-22947 https://nvd.nist.gov/vuln/detail/CVE-2022-27774 https://nvd.nist.gov/vuln/detail/CVE-2022-32206 https://nvd.nist.gov/vuln/detail/CVE-2022-32205 https://github.com/advisories/GHSA-v95c-p5hm-xq8f https://nvd.nist.gov/vuln/detail/CVE-2021-43784 https://nvd.nist.gov/vuln/detail/CVE-2022-32208
What is the feature you are proposing to solve the problem?
Update curl
What alternatives have you considered?
No response
Hi, unfortunately, if those security vulnerabilities are appearing in the latest versions is because they are not fixed by the OS or the application itself, although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application:
$ trivy image --ignore-unfixed --vuln-type os bitnami/pgbouncer:1.17.0
2022-08-09T19:36:05.774+0200 INFO Vulnerability scanning is enabled
2022-08-09T19:36:05.775+0200 INFO Secret scanning is enabled
2022-08-09T19:36:05.775+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-09T19:36:05.775+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-09T19:36:07.105+0200 INFO Detected OS: debian
2022-08-09T19:36:07.105+0200 INFO Detecting Debian vulnerabilities...
bitnami/pgbouncer:1.17.0 (debian 11.4)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04 & 20.04, or custom golden image) through the VMware Tanzu Application Catalog.
In addition, we are working to reduce the number of dependencies or packages included in our images. curl is one of these dependencies, mainly used at build time but it is not needed at run time in most of the images
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.