kubernetes-reflector
kubernetes-reflector copied to clipboard
emberstack
update base image to debian 11.3
As per the following trivy scan, there are a few fixable CVEs here, would it be possible to update the base image?
trivy image --severity CRITICAL emberstack/kubernetes-reflector:6.1.47
2022-05-17T20:26:14.556-0400 INFO Detected OS: debian
2022-05-17T20:26:14.556-0400 INFO Detecting Debian vulnerabilities...
2022-05-17T20:26:14.571-0400 INFO Number of language-specific files: 0
emberstack/kubernetes-reflector:6.1.47 (debian 11.2)
====================================================
Total: 9 (CRITICAL: 9)
+-----------+------------------+----------+-------------------+-----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+-----------------+---------------------------------------+
| libc-bin | CVE-2021-33574 | CRITICAL | 2.31-13+deb11u2 | 2.31-13+deb11u3 | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-23218 | | | | glibc: Stack-based buffer overflow |
| | | | | | in svcunix_create via long pathnames |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23218 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-23219 | | | | glibc: Stack-based buffer |
| | | | | | overflow in sunrpc clnt_create |
| | | | | | via a long pathname |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23219 |
+-----------+------------------+ + + +---------------------------------------+
| libc6 | CVE-2021-33574 | | | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-23218 | | | | glibc: Stack-based buffer overflow |
| | | | | | in svcunix_create via long pathnames |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23218 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-23219 | | | | glibc: Stack-based buffer |
| | | | | | overflow in sunrpc clnt_create |
| | | | | | via a long pathname |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23219 |
+-----------+------------------+ +-------------------+-----------------+---------------------------------------+
| libdb5.3 | CVE-2019-8457 | | 5.3.28+dfsg1-0.8 | | sqlite: heap out-of-bound |
| | | | | | read in function rtreenode() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8457 |
+-----------+------------------+ +-------------------+-----------------+---------------------------------------+
| libssl1.1 | CVE-2022-1292 | | 1.1.1k-1+deb11u2 | | openssl: c_rehash script |
| | | | | | allows command injection |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1292 |
+-----------+ + + +-----------------+ +
| openssl | | | | | |
| | | | | | |
| | | | | | |
+-----------+------------------+----------+-------------------+-----------------+---------------------------------------+
Automatically marked as stale due to no recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Automatically marked as stale due to no recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
New version is coming out with a new base image. Please upgrade to the new version when out. All security issues in base images need to be reported to Microsoft's GitHub repository for aspnet (https://github.com/dotnet/dotnet-docker/issues)
Thanks @winromulus, good to know!
re where to report: in this case a fixed base version was already available hence the issue here.
@naseemkullah if you can help me (I don't have the tooling), can you use your tools to check if mcr.microsoft.com/dotnet/aspnet:7.0 has any CVE please? I'll need to set something up to check for this but reporting will have to go to MS for fixes.
@naseemkullah if you can help me (I don't have the tooling), can you use your tools to check if mcr.microsoft.com/dotnet/aspnet:7.0 has any CVE please? I'll need to set something up to check for this but reporting will have to go to MS for fixes.
@winromulus https://github.com/aquasecurity/trivy is what I used. It's open source. Give it a try. You can use it as a local CLI and/or add it to your ci pipeline.