golang icon indicating copy to clipboard operation
golang copied to clipboard

Published 20 hours ago verified publisher icon docker-library

Docker Scout reports CVE's

Open mcandre opened this issue 1 year ago • 1 comments

Per https://github.com/golang/go/issues/64880#event-11346792239

mcandre avatar Jan 06 '24 07:01 mcandre

There are some package updates available. Once the next Debian base image rebuild is done (likely in the next couple days), then all Docker Official Images FROM them will be rebuilt and pull in any available package updates.

console: 
$ docker run -it --rm golang:1.21
Unable to find image 'golang:1.21' locally
/usr/bin/docker-credential-desktop.exe: Invalid argument
1.21: Pulling from library/golang
Digest: sha256:672a2286da3ee7a854c3e0a56e0838918d0dbb1c18652992930293312de898a6
Status: Downloaded newer image for golang:1.21
root@293b0d41069d:/go# apt update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8787 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [12.7 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [134 kB]
Fetched 9185 kB in 1s (8612 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@293b0d41069d:/go# apt list --upgradable
Listing... Done
curl/stable-security 7.88.1-10+deb12u5 amd64 [upgradable from: 7.88.1-10+deb12u4]
libcurl3-gnutls/stable-security 7.88.1-10+deb12u5 amd64 [upgradable from: 7.88.1-10+deb12u4]
libcurl4/stable-security 7.88.1-10+deb12u5 amd64 [upgradable from: 7.88.1-10+deb12u4]
linux-libc-dev/stable-security 6.1.69-1 amd64 [upgradable from: 6.1.67-1]
openssh-client/stable-security 1:9.2p1-2+deb12u2 amd64 [upgradable from: 1:9.2p1-2+deb12u1]

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

yosifkit avatar Jan 08 '24 23:01 yosifkit