ruby icon indicating copy to clipboard operation
ruby copied to clipboard

Published 20 hours ago verified publisher icon docker-library

question on how are system libraries updated?

Open pahnin opened this issue 1 year ago • 2 comments

for couple of weeks, the ruby image is showing as vulnerable because of rexml gem coming from ruby images seems to have stuck to 3.2.8

https://github.com/advisories/GHSA-vg3r-rm7w-2xgh

the rexml version which seems safe to use seems to be 3.3.6

but the system ruby available in all ruby images seems to have stuck to 3.2.8

I don't see how this can be updated unless someone triggers a rebuild of docker images?

I don't know what is the process involved or if I should submit a PR?

pahnin avatar Sep 02 '24 05:09 pahnin

The image will be rebuilt when a new release of Ruby is available or when the Debian image gets an update (whichever comes first)

LaurentGoderre avatar Sep 03 '24 14:09 LaurentGoderre

I think this is a case of a Gem that's part of Ruby upstream's distribution of Ruby itself, not something we've explicitly installed.

It does look like CVE fixes for REXML were included in https://github.com/ruby/ruby/releases/tag/v3_3_5 though, so this might be fixed by https://github.com/docker-library/ruby/commit/04175a1c782da7183d8cd1ebed8c91b3ce0fe50b? (https://github.com/docker-library/official-images/pull/17475)

tianon avatar Sep 03 '24 20:09 tianon