Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

musl vulnerability in alpine #186

Closed
molepigeon opened this issue Aug 12, 2019 · 3 comments
Closed

musl vulnerability in alpine #186

molepigeon opened this issue Aug 12, 2019 · 3 comments

Comments

@molepigeon
Copy link

Hi, our vulnerability scanning tool detected a version of musl that's affected by CVE-2019-14697 in docker:18.09.8-dind. It appears that a fix is available through apk upgrade.

@wglambert
Copy link

See docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
And https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).


Looks like this hasn't been patched yet so there's nothing actionable we can do. As we'll only apply out-of-branch patch's when absolutely necessary

The bug is present in all versions after 0.9.12, up through the current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's "i386" arch) are affected. Users of other archs, including x86_64, can safely ignore this issue.

@yosifkit
Copy link
Member

A couple other links: upstream tracker here; the fix was already deployed to the edge image (docker-library/official-images#6437). I can only speculate as to why the rest of the images were not fixed at the same time. My best guess is that because it only effects i386, it was deemed low enough impact to not necessitate a rebuild of all child images.

@tianon
Copy link
Member

tianon commented Aug 12, 2019

Closing in favor of alpinelinux/docker-alpine#34.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants