Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

This security issue CVE-2021-3177 was fixed and the fix is not pushed to dockerhub image. #577

Closed
MohamedMSaeed opened this issue Feb 14, 2021 · 4 comments
Closed

This security issue CVE-2021-3177 was fixed and the fix is not pushed to dockerhub image. #577

MohamedMSaeed opened this issue Feb 14, 2021 · 4 comments

Comments

@MohamedMSaeed
Copy link

According to NVD, python v3.8.7 has a critical security issue. I'm using python:3.8-slim

NVD link: https://nvd.nist.gov/vuln/detail/CVE-2021-3177
fix: python/cpython#24248
@wglambert
Copy link

Debian Buster is still unfixed so there's nothing actionable we could do https://security-tracker.debian.org/tracker/CVE-2021-3177
It's also considered a minor issue

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, #152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@yosifkit
Copy link
Member

As for 3.8.x that is downloaded and compiled in the image:

python/3.8/buster/slim/Dockerfile

Lines 54 to 78 in ada46dd

&& wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
&& wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEY" \
&& gpg --batch --verify python.tar.xz.asc python.tar.xz \
&& { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
&& rm -rf "$GNUPGHOME" python.tar.xz.asc \
&& mkdir -p /usr/src/python \
&& tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \
&& rm python.tar.xz \
\
&& cd /usr/src/python \
&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
&& ./configure \
--build="$gnuArch" \
--enable-loadable-sqlite-extensions \
--enable-optimizations \
--enable-option-checking=fatal \
--enable-shared \
--with-system-expat \
--with-system-ffi \
--without-ensurepip \
&& make -j "$(nproc)" \
LDFLAGS="-Wl,--strip-all" \
&& make install \

There hasn't been a python 3.8 release since Dec. 21, 2020, https://www.python.org/downloads/. Once they release a new version, we will publish it.

@tianon tianon closed this as completed Feb 16, 2021
@asfaltboy
Copy link

asfaltboy commented Feb 19, 2021
edited
Loading

@yosifkit just to nudge, seeing that the latest version 3.8.8 is now live here, thank you all for your diligence 🙏

@tianon
Copy link
Member

tianon commented Feb 19, 2021

docker-library/official-images#9658 😉

(Official builds are in progress.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tianon @asfaltboy @yosifkit @wglambert @MohamedMSaeed