Comments (5)
The official images use the upstream (debian in this case) packages; if there's vulnerabilities in those packages, those would have to be fixed by the debian maintainers and packagers; once updates are available in the debian package repositories, those will be included in the next build of the official images, but before that, there's not much that the maintainers of the official images can do.
I would recommend checking the status for those CVEs in debian's security tracker; here's the links to the "critical" ones from your report, but the pattern is the same for the other ones;
- https://security-tracker.debian.org/tracker/CVE-2023-5841
- https://security-tracker.debian.org/tracker/CVE-2023-45853
- https://security-tracker.debian.org/tracker/CVE-2023-6879
- https://security-tracker.debian.org/tracker/CVE-2023-0645
Note that some of those will have an issue linked in their issue tracker, which may contain more information about the current status (which may in some cases be that the debian maintainers decided to reject the CVE or decided not to patch).
from official-images.
You could switch to using the bookworm-slim
variant which don't have those. You could even use multistage build to use the non slim for building and copying the result into the slim variant.
from official-images.
FWIW; looks like those vulnerabilities are not yet patched by upstream debian, so there's not packages available there yet;
- https://security-tracker.debian.org/tracker/CVE-2024-32002
- https://security-tracker.debian.org/tracker/CVE-2024-32465
- https://security-tracker.debian.org/tracker/CVE-2024-32004
from official-images.
Hi @LaurentGoderre , We have tried multistage build and used bookworm-slim for final result. However, we have seen vulnerabilities in JFrog XRay platform.
I am attaching those vulnerabilities here and targeting to resolve critical and high vulnerabilities.
Could you please help on this to proceed further?
[email protected]_2024-06-07.zip
from official-images.
See also the "Notes" field at the bottom of each of those links, which contains comments from the Debian Security Team (usually about why it's not fixed / not believed to be an issue worth fixing urgently).
[bookworm] - openexr <no-dsa> (Minor issue)
[bullseye] - openexr <not-affected> (Only affects 3.x)
[buster] - openexr <not-affected> (Only affects 3.x)
("no-dsa" is effectively "wontfix" but leaving the door open for another debian maintainer to fix it if they believe they can do so within the constraints of debian stable)
Again, please read https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
from official-images.
Related Issues (20)
- More RISC-V builds - how can I help? HOT 6
- Add LoongArch architecture support HOT 4
- Error relocating /usr/lib/libcurl.so.4: SSL_get0_group_name: symbol not found
- Rust 1.77.2-slim arm64 Images Missing HOT 2
- Odoo release number in tag HOT 2
- An issue with nginx 1.25.5 manifest. HOT 4
- Using gpu on Orangepi Rk3588 Board HOT 1
- no you HOT 5
- Broken release: SonarQube 9.9.5 tags do not support the arm64 architecture. HOT 3
- Broken Release: MySQL 8.4.0 HOT 1
- Fix CVE-2023-24538 and CVE-2023-24540 HOT 2
- can not find mariadb:10.11.8 images in https://hub.docker.com/_/mariadb HOT 1
- "operation not permitted", a `libseccomp` story HOT 1
- [incident] Alpine 3.20 seccomp issues (arm32v6, arm32v7, i386, riscv64, ppc64le) HOT 12
- Review request for MariaDB UBI based image HOT 1
- influxb image: platform in image-index and image-config do not match HOT 5
- missing arm64v8 layers in MariaDB image HOT 3
- Official Chiselled Ubuntu images support? HOT 4
- Deprecation of image formats in older published images HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from official-images.