Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities [CVE-2021-23839, CVE-2021-23840, CVE-2021-23841] found against various alpine versions of python #578

Closed
ankitsrao opened this issue Feb 17, 2021 · 3 comments
Closed

Vulnerabilities [CVE-2021-23839, CVE-2021-23840, CVE-2021-23841] found against various alpine versions of python #578

ankitsrao opened this issue Feb 17, 2021 · 3 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@ankitsrao
Copy link

Hi Team,

Vulnerabilities [CVE-2021-23839, CVE-2021-23840, CVE-2021-23841] found against various alpine versions of python3.7.
I can't find a production image that scans clean nor can I find a way to remediate the vulnerability, as it seems that these are newly reported vulnerabilities.

Also, found that there is the below note on the NVD page for each of the above mentioned vulnerabilities:
"This vulnerability is currently awaiting analysis."

Request to provide some help around the resolution of the same.

Thanks,
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Feb 17, 2021
@wglambert
Copy link

Alpine's openssl was recently updated to 1.1.1j which addressed those CVE's
https://git.alpinelinux.org/aports/commit/?h=3.13-stable&id=9235437f759653dcdb458e1e61d43a933fdd3a05

However for this image openssl is removed during build time and doesn't make it to the final layer, basically:

	&& apk add --no-cache --virtual .build-deps  \
		. . .
		openssl-dev \
		. . .
	&& apk del --no-network .build-deps \

python/3.7/alpine3.13/Dockerfile

Lines 44 to 60 in 9ec46df

&& apk add --no-cache --virtual .build-deps \
bluez-dev \
bzip2-dev \
coreutils \
dpkg-dev dpkg \
expat-dev \
findutils \
gcc \
gdbm-dev \
libc-dev \
libffi-dev \
libnsl-dev \
libtirpc-dev \
linux-headers \
make \
ncurses-dev \
openssl-dev \

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, #152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@tianon
Copy link
Member

tianon commented Feb 17, 2021

See also docker-library/official-images#9641 which will fix this particular set in Alpine 3.13.

@tianon tianon closed this as completed Feb 17, 2021
@ahaerpfer ahaerpfer mentioned this issue Feb 20, 2021
Closed
@ankitsrao
Copy link
Author

Thank you @wglambert and @tianon for your inputs. The vulnerabilities seem to be resolved for python alpine images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @wglambert @ankitsrao