docker-nginx-unprivileged icon indicating copy to clipboard operation
docker-nginx-unprivileged copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Security vulnerabilities in libraries

Open gsssathe opened this issue 1 year ago • 2 comments

Describe the bug

We are getting 4 CRITICAL vulnerabilities in Harbor image scan . please update the libraries . image

To reproduce

Steps to reproduce the behavior:

  1. Deploy NGINX Unprivileged Docker image
  2. View output/logs/configuration on '...'
  3. See error

Your environment

  • Version of the NGINX Unprivileged Docker image
  • Target deployment environment/platform

Additional context

Does this security vulnerability relate to one of the NGINX libraries specified in the SECURITY doc?

gsssathe avatar Oct 14 '22 16:10 gsssathe

The nginxinc/nginx-unprivileged is Debian based. I've also tried to update it and then create a custom image. Its seems that we cannot upgrade.

Any light on this from the nginxinc team will be very nice.

Thank you team!

docker run -it --entrypoint=/bin/sh -u root nginxinc/nginx-unprivileged

root@f55803ac4e36:/# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

root@f55803ac4e36:/# apt-get update Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB] Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB] Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB] Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8184 kB] Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [189 kB] Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [6344 B] Fetched 8587 kB in 1s (6086 kB/s) Reading package lists... Done

root@f55803ac4e36:/# apt-get upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

davibaldin avatar Oct 14 '22 17:10 davibaldin

Has a fix been pushed to the Debian package? If it's been pushed, the images did get rebuilt over night so the fix should be in the latest build.

alessfg avatar Oct 17 '22 19:10 alessfg

Images got rebuilt on Sunday night so I am going to go ahead and close this issue. Any vulnerabilities should have been fixed by now.

alessfg avatar Nov 01 '22 18:11 alessfg