docker-nginx
docker-nginx copied to clipboard
nginxinc
CVE-2022-27404, CVE-2022-27405, CVE-2022-27406
| Resource | Resource Type | Installed Version | Vulnerability Name | Publish Date | NVD CVSS v2 Severity | NVD CVSS v2 Score | NVD CVSS v2 Vectors | Solution |
|---|---|---|---|---|---|---|---|---|
| freetype | package | 2.11.1-r0 | CVE-2022-27404 | 4/22/2022 | high | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | Upgrade package freetype to version 2022-03-07 or above. |
| freetype | package | 2.11.1-r0 | CVE-2022-27405 | 4/22/2022 | medium | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | Upgrade package freetype to version 2022-03-17 or above. |
| freetype | package | 2.11.1-r0 | CVE-2022-27406 | 4/22/2022 | medium | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | Upgrade package freetype to version 2022-03-19 or above. |
As seen on the Debian security tracker pages, the fix is only available in bookworm (currently aka sid or unstable). All other Debian releases do not have the update. And, from the Notes, it looks like the Debian security team has chosen not to fix it for them.
https://security-tracker.debian.org/tracker/CVE-2022-27404 and https://security-tracker.debian.org/tracker/CVE-2022-27405 and https://security-tracker.debian.org/tracker/CVE-2022-27406
[bullseye] - freetype <no-dsa> (Minor issue)
[buster] - freetype <no-dsa> (Minor issue)
[stretch] - freetype <no-dsa> (Minor issue)
hi @dimanchezzz, we'll need to wait until freetype is updated in the Linux distributions nginx images use, namely Alpine 3.15 and Debian 11.
Thanks, How I can following by updates in the Linux distributions nginx images
or mb i can drop freetype from image ?
I tried it, but not working(
RUN apk del freetype
The links for tracking CVE fixes in Debian were provided in https://github.com/nginxinc/docker-nginx/issues/657#issuecomment-1119147670, and for Alpine you'd have to check https://git.alpinelinux.org/aports/log/main/freetype?h=3.15-stable
You should be able to remove freetype and the image filter module with the following command:
apk del freetype nginx-module-image-filter.
A fix for 2022-27404 was submitted to the Alpine mainline.
https://gitlab.alpinelinux.org/alpine/aports/-/commit/08c9eeb1e3aee1adc8c3407f29630073aef5c5e3 https://gitlab.alpinelinux.org/alpine/aports/-/commit/a11d8db7bb9baefb69a268bba661728ece1f1caa
Hello, when can we expect to have a new nginx image with the fix for 2022-27404? Thanks
Hi @istvandesign there is no strict date - for Debian it's likely never, and for Alpine-based images, whenever alpine 3.15.5 is released.
Hi @istvandesign there is no strict date - for Debian it's likely never, and for Alpine-based images, whenever alpine 3.15.5 is released.
Thanks, the hotfix you mentioned, RUN apk del freetype nginx-module-image-filter will also work in alpine or only in debian based images ?
I would like to know how the treatment by official.
When does the alpine image change to use 3.15 in the stable-alpine and 1.20-alpine? Or When would RUN apk del freetype nginx-module-image-filter add officially?
We plan to have stable tags updated with Alpine 3.15 (or 3.16 if it's out at that time) somewhere in mid-June. No hard ETA though yet.
CVE-2022-27404 is fixed now in alpine-based images. Other CVEs arent, and all of them are not fixed for Debian-based images.
I've taken this update applied it to our application. The scan is all clear now. thank you
CVE-2022-27405 and CVE-2022-27406 are now fixed in Alpine-based images. No changes for Debian.
CVE-2022-27404, CVE-2022-27405, CVE-2022-27406 are now fixed in Debian in freetype6 2.10.4+dfsg-1+deb11u1, which is what installed in all Debian images now.