kubeless
kubeless copied to clipboard
vmware-archive
critical vulnerabilities in unzip and function controller docker images
Hello kubeless team,
#1 The unzip image seems to have below 4 critical vulnerabilities: CVE-2019-12900 -> package libbz2-1.0,bzip2 CVE-2017-14062 -> package libidn11 CVE-2019-5481 -> package libcurl3-gnutls,libcurl3,curl CVE-2019-5482 -> package libcurl3-gnutls,libcurl3,curl The last 3 were already fixed in 1.33-1+deb9u1, in 7.52.1-5+deb9u10 and in 7.52.1-5+deb9u10 respectively. First one is still open.
#2 Similarly the docker image function-controller v1.0.6 seems to have below 3 critical vulnerabilities: CVE-2016-9841 -> package 1:1.2.8.dfsg-2 (zlib1g) CVE-2016-9843 -> package 1:1.2.8.dfsg-2 (zlib1g) CVE-2018-6797 -> package 5.20.2-3+deb8u12 (perl-base) The first two were already fixed in 1:1.2.8.dfsg-2+deb8u1. Last one is open.
Just a couple of questions: When are you planning to add the 4 fixes already available? and when are you planning to addess the 2 open issues?
Thanks,
Hi @jacace,
Thanks for the report! Regarding the unzip image I have just built a new image with the latest versions. Regarding the function-controller, we released v1.0.7 this week, that version should fix as well the CVEs that already have a fix.
Thanks @andresmgot ! I have downloaded the newer function-controller v1.0.7 and unzip images. I Will scan them and I Will let you know my findings. Thanks,
Hello @andresmgot I scanned the latest images and it worked for the function controller image because it went down from 3 critical to 1 high. But it not work for the unzip images because it still has 4 critical. The Kafka image has also 1 critical. Can I send you the full list of 33 findings (incl. critical, high and medium) to your corporate email address in your github profile for you to please check what else can be done? (at least for the critical and high for starters) thanks,