docker-nginx-unprivileged
docker-nginx-unprivileged copied to clipboard
Security vulnerabilities in libraries
Describe the bug
We are getting 4 CRITICAL vulnerabilities in Harbor image scan . please update the libraries .
To reproduce
Steps to reproduce the behavior:
- Deploy NGINX Unprivileged Docker image
- View output/logs/configuration on '...'
- See error
Your environment
- Version of the NGINX Unprivileged Docker image
- Target deployment environment/platform
Additional context
Does this security vulnerability relate to one of the NGINX libraries specified in the SECURITY
doc?
The nginxinc/nginx-unprivileged is Debian based. I've also tried to update it and then create a custom image. Its seems that we cannot upgrade.
Any light on this from the nginxinc team will be very nice.
Thank you team!
docker run -it --entrypoint=/bin/sh -u root nginxinc/nginx-unprivileged
root@f55803ac4e36:/# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"
root@f55803ac4e36:/# apt-get update Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB] Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB] Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB] Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8184 kB] Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [189 kB] Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [6344 B] Fetched 8587 kB in 1s (6086 kB/s) Reading package lists... Done
root@f55803ac4e36:/# apt-get upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Has a fix been pushed to the Debian package? If it's been pushed, the images did get rebuilt over night so the fix should be in the latest build.
Images got rebuilt on Sunday night so I am going to go ahead and close this issue. Any vulnerabilities should have been fixed by now.