python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon docker-library

Known fix for CVE-2022-43680

Open mathieu-benoit opened this issue 3 years ago • 2 comments
trafficstars

Are you going to integrate the known fix for CVE-2022-43680 (High - 7.5)?

  • https://nvd.nist.gov/vuln/detail/CVE-2022-43680
  • https://security-tracker.debian.org/tracker/CVE-2022-43680

More details by Docker Hub here: https://dso.docker.com/images/python/digests/sha256%3Ad29fc682d30b314f41d5bb9e19ffe0b8fa128b836146a0a5b19dd60e96d1c19b?vtab=high

I read your FAQ entry about CVEs, but wondering if this fix will be integrated soon.

mathieu-benoit avatar Oct 31 '22 12:10 mathieu-benoit

Python will get rebuilt eventually

There wasn't a fix available in Debian as of https://github.com/docker-library/python/pull/766, but it seems to have been added since. If their update to libexpat 2.5.0 on the 25th coincided with security updates to previous supported versions then we missed it by a day for Python 3.11 and a week for the other variants

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file [–like if the Dockerfile is updated–] or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

wglambert avatar Oct 31 '22 16:10 wglambert

Because you mentioned 3.11, just would like to mention that in my case I'm with 3.9 and 3.10.

mathieu-benoit avatar Oct 31 '22 16:10 mathieu-benoit

I believe this has been addressed

LaurentGoderre avatar Oct 27 '23 15:10 LaurentGoderre