mittwald
Update Dependencies to resolve known CVEs
Describe the bug
There are several known CVEs found within the dependencies of the stable image.
https://quay.io/repository/mittwald/kube-httpcache/manifest/sha256:ed153b482be398b8d979cf4983b1936a97ca734837aac588e4e5e2f3fca58cbe?tab=vulnerabilities&fixable=true
To Reproduce Use Docker Scout or a similar CVE scanner to check the stable image.
Expected behavior It's not entirely unreasonable for there to be some CVEs found within the dependencies, but since there hasn't been an update to the image in 7 months many of these vulnerabilities are likely very easily fixed with some dependency bumps.
Perhaps dependabot or a similar tool with some CI steps to automate the deployments could help reduce the time cost with updating the images moving forward keeping this project healthier?
There have been some updates recently β I now see fewer findings in the scanner π₯³ @wSedlacek check it out.
Since the image is based on Debian Bullseye (which is still LTS), thatβs great. But maybe there are some packages that are not needed and can be removed in the Dockerfile to reduce the surface area for example libdb5.3, zlib1g?
Some of the findings would be fixed with a minor image update to -> golang:1.24.4-bullseye π‘
@animus888 Please check again with the latest version, I did some updating including the exporter image
@leontappe
Scan of quay.io/mittwald/kube-httpcache:v0.9.1 (debian 12.11) finds HIGH: 202, CRITICAL: 2 vulnerabilities right now. That's an improvement, thank you. π₯³ π
Critical: libaom3 -> CVE-2023-6879 zlib1g -> CVE-2023-45853
Maybe those 2 libraries can be removed in the Docker files if they are not needed?
High: libpam0g -> CVE-2025-6020, libpam-modules, libpam-runtime, libpam-modules-bin perl-base libtiff6 libexpat1 linux-libc-dev
Maybe those can also be removed by removing the packages from the Docker images?
varnish (7.6.3-1~bookworm) -> CVE-2023-44487 --> would be resolved anyway in later varnish versions See: https://github.com/varnishcache/varnish-cache/issues/3996 https://varnish-cache.org/security/VSV00013.html#vsv00013
Scan of quay.io/mittwald/kube-httpcache:v0.9.1 (debian 12.11) finds HIGH: 202, CRITICAL: 2 vulnerabilities right now. That's an improvement, thank you. π₯³ π
Critical: libaom3 -> CVE-2023-6879 zlib1g -> CVE-2023-45853
Maybe those 2 libraries can be removed in the Docker files if they are not needed?
High: libpam0g -> CVE-2025-6020, libpam-modules, libpam-runtime, libpam-modules-bin perl-base libtiff6 libexpat1 linux-libc-dev
Maybe those can also be removed by removing the packages from the Docker images?
varnish (7.6.3-1~bookworm) -> CVE-2023-44487 --> would be resolved anyway in later varnish versions See: varnishcache/varnish-cache#3996 https://varnish-cache.org/security/VSV00013.html#vsv00013
maybe apt-get update could help here.. I guess some libs like linux-pam need to be removed because there are no fixes from version upgrades....
@leontappe maybe -y is missing in apt-get -qq upgrade (see Dockerfile)?
I will try a manual upgrade locally and see if some vulnerabilities could be resolved with apt-get -qq upgrade -y