Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unapproved vulnerabilitie CVE-2020-28928 #819

Closed
AndrewBy5 opened this issue Feb 22, 2021 · 6 comments
Closed

Unapproved vulnerabilitie CVE-2020-28928 #819

AndrewBy5 opened this issue Feb 22, 2021 · 6 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@AndrewBy5
Copy link

Hello.

I noticed that the Clair scanner reports about the unapproved vulnerability for all 13 Postgres alpine-based docker images.
The issue with the "musl" package.
All details can be reviewed by the following link:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928

Could you please fix this issue?

Thanks.
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Feb 22, 2021
@wglambert
Copy link

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), #286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, #286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@AndrewBy5
Copy link
Author

Thank you for your quick response.
As I can see that case is slightly different because this vulnerability has been confirmed by multiple sources, including the "musl" official website.
https://musl.libc.org/
http://www.openwall.com/lists/oss-security/2020/11/20/4
https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html
Currently, the mentioned vulnerability has been resolved in the "musl" version 1.2.2
I would be highly appreciated it if you have a chance to release a 13 alpine-based Postgres docker image with included an updated version of the "musl" library.
Thanks.

@ImreSamu
Copy link
Contributor

ImreSamu commented Feb 23, 2021
edited
Loading

@AndrewBy5:

Currently, the mentioned vulnerability has been resolved in the "musl" version 1.2.2
I would be highly appreciated it if you have a chance to release a 13 alpine-based
Postgres docker image with included an updated version of the "musl" library.

listing installed musl package version

  • postgres:13-alpine -> musl-1.2.2-r0 - OK
  • postgres:13.1-alpine -> musl-1.2.2-r0 - OK
  • postgres:13.0-alpine -> musl-1.1.24-r9 ( ~ 5 month old ; with known postgres / alpine CVEs - not recommended )

You can check the postgres alpine update times here ; ( see "Last pushed" days > 5 day ? )

postgres:13-alpine - musl-1.2.2-r0 - OK

~$ docker pull docker.io/library/postgres:13-alpine

13-alpine: Pulling from library/postgres
Digest: sha256:59f48f15d037cc4ac87557cdb69fc9e5891b8a4b8d95254b7030dff561d6fd3a
Status: Image is up to date for postgres:13-alpine
docker.io/library/postgres:13-alpine

$ docker run -it --rm docker.io/library/postgres:13-alpine apk -vv info | grep musl
musl-1.2.2-r0 - the musl c library (libc) implementation
musl-utils-1.2.2-r0 - the musl c library (libc) implementation

postgres:13.1-alpine - musl-1.2.2-r0 - OK

~$ docker pull docker.io/library/postgres:13.1-alpine
13.1-alpine: Pulling from library/postgres
Digest: sha256:16af09e480c49226f8e7cd4d602ab27e59f434eb255d2b45bd0cfe1defb86fd7
Status: Image is up to date for postgres:13.1-alpine
docker.io/library/postgres:13.1-alpine

~$ docker run -it --rm docker.io/library/postgres:13.1-alpine apk -vv info | grep musl
musl-1.2.2-r0 - the musl c library (libc) implementation
musl-utils-1.2.2-r0 - the musl c library (libc) implementation

postgres:13.0-alpine - musl-1.1.24-r9 - OLD ( last pushed 4 months ago by ! )

~$ docker pull docker.io/library/postgres:13.0-alpine
13.0-alpine: Pulling from library/postgres
Digest: sha256:d26ddee3648a324a9747b3257236322141920d5f9a82ca703def6bff1cca7067
Status: Image is up to date for postgres:13.0-alpine
docker.io/library/postgres:13.0-alpine

~$  docker run -it --rm docker.io/library/postgres:13.0-alpine apk -vv info | grep musl
musl-1.1.24-r9 - the musl c library (libc) implementation
musl-utils-1.1.24-r9 - the musl c library (libc) implementation

@AndrewBy5
Copy link
Author

Thanks a lot for the explanation.
Then, indeed, this vulnerability can be considered false-positive.

@ImreSamu
Copy link
Contributor

Currently, the mentioned vulnerability has been resolved in the "musl" version 1.2.2
...
Then, indeed, this vulnerability can be considered false-positive.

checking with a fresh clair-db - it is still reporting for 1.2.2-r0
imho: You should have add this CVE to your whitelist.yaml

$  clair-scanner --all  -c "http://127.0.0.1:6060" --ip 172.17.0.1 postgres:13.1-alpine
2021/02/23 17:34:41 [INFO] ▶ Start clair-scanner
2021/02/23 17:34:42 [INFO] ▶ Server listening on port 9279
2021/02/23 17:34:42 [INFO] ▶ Analyzing b086dfe366448ca9e9f25cbec5fa9a6e9a284db32b54644a1ed6ecca7c3872c9
2021/02/23 17:34:42 [INFO] ▶ Analyzing 1677a8ec5fbbc33ddc34e1b29a29030b07b86e4b2338201c94e782f34b112b3a
2021/02/23 17:34:42 [INFO] ▶ Analyzing 67a4aaa1ad6056dbd95518baa5187cfd2531e6320bc382339e47522ac7db89a3
2021/02/23 17:34:42 [INFO] ▶ Analyzing 586620978d681bf25b26c972ac69824dbafe80e65f06564eaa9c37d215276c16
2021/02/23 17:34:42 [INFO] ▶ Analyzing 777b19181bebd418aea2ef37a5fb546e29abb3260c2ae5269e9a040d7da90621
2021/02/23 17:34:42 [INFO] ▶ Analyzing 088b04afa1292ff479a9cde2bb8cc42c421c82c94fdf61fc31a5252f1a37c655
2021/02/23 17:34:42 [INFO] ▶ Analyzing ceeeba1ba24452ce82108e2a3e308567a6ef0eb8622c736eb0e600dc41e60ecf
2021/02/23 17:34:42 [INFO] ▶ Analyzing 257567783eed1d1ee3f47f50bc6b192b8d401b4cbfbd76a34257d08f5b2f2f31
2021/02/23 17:34:43 [WARN] ▶ Image [postgres:13.1-alpine] contains 1 total vulnerabilities
2021/02/23 17:34:43 [ERRO] ▶ Image [postgres:13.1-alpine] contains 1 unapproved vulnerabilities
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+
| STATUS     | CVE SEVERITY       | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION                                               |
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+
| Unapproved | Low CVE-2020-28928 | musl         | 1.2.2-r0        |                                                               |
|            |                    |              |                 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928 |
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+

@AndrewBy5
Copy link
Author

This issue can be considered resolved.
Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ImreSamu @wglambert @AndrewBy5