python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon docker-library

There are two new CVEs in open-ssh used by at least shared-tag `3.9`.

Open mmynsted opened this issue 1 year ago • 6 comments

https://github.com/docker-library/python/blob/2d31ccc9f8487908ded7944a54b8e923eff9ad1f/3.9/bookworm/Dockerfile

CVE-2023-28531

CVE-2023-51385

These two cve's have been found in the python:3.9 container. Both are critical. Remediation requires openssh 9.6 or better. The manifest shows 8.4 being in use.

mmynsted avatar Dec 27 '23 16:12 mmynsted

Seeing the same issue. Looks like it's the underlying debian version being used?

wimaac avatar Dec 28 '23 18:12 wimaac

@wimaac, I expect that is true. Both appear to have resolutions. https://security-tracker.debian.org/tracker/source-package/openssh

  • https://security-tracker.debian.org/tracker/CVE-2023-51385
  • https://security-tracker.debian.org/tracker/CVE-2023-28531

Perhaps the fix for the Python image is to update to use a resource in fixed status?

mmynsted avatar Dec 29 '23 21:12 mmynsted

This is going to be fixed when buildpack-deps ios updated.

LaurentGoderre avatar Jan 03 '24 18:01 LaurentGoderre

Is that on a schedule, or when does that happen?

mmynsted avatar Jan 04 '24 16:01 mmynsted

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

So, there will likely be a debian rebuild in the coming week or two which would then cause a rebuild of all Official Images from it (like buildpack-deps and python).

yosifkit avatar Jan 04 '24 17:01 yosifkit

Thanks for the updates!

wimaac avatar Jan 05 '24 15:01 wimaac

I presume this issue can now be closed, since the base buildpack-deps image will have been updated several times since?

edmorley avatar Aug 24 '24 15:08 edmorley