amazonlinux/container-images

AWS Linux - Vulnerabilities

Closed this issue · 2 comments

FW-John commented

A docker scan of amazonlinux:latest contains the following vulnerabilities.

amazonlinux-latest_vulnerbiltiies_2018-01-24.pdf

yosifkit commented

(This is my outside opinion based on experience in maintaining the Docker Official Images, I do not speak for the Amazon Linux maintainers)

When vulnerabilities are found, it is usually the case that fixes are not available for the specified packages. Sometimes there are stated reasons (like CVE-2014-6277), and sometimes it is just "will not fix" (like CVE-2016-5636).

Lets start with the first two vulnerabilities (bash, CVE-2014-6277 and CVE-2014-6278); they are not even considered security issues by RedHat and thus will be unlikely to receive a patch in Amazon Linux, since it is based upon RedHat Enterprise Linux.

From the history of image updates, it looks like the amazonlinux images are on a roughly 6-month release cycle. If there is a specific vulnerability that would warrant publishing a new release, please point it out on the Amazon Linux forums

Related issues in other Official Images:
docker-library/buildpack-deps#46
docker-library/postgres#286
docker-library/openjdk#112
docker-library/drupal#84
docker-library/official-images#2740
docker-library/ruby#117
docker-library/ruby#94
docker-library/python#152
docker-library/php#242

  • 👍1
iliana commented

Hi,

This appears to be the information available at https://hub.docker.com/r/library/amazonlinux/tags/latest/ (you may need to be logged in to view this).

This comes from Docker's security scanning infrastructure. AWS does not have any control or input into that at this time.

For information regarding vulnerabilities fixed in Amazon Linux, refer to https://alas.aws.amazon.com/. This, and the updateinfo.xml.gz that is part of the software repositories, is the only authoritative reference for security vulnerability information in Amazon Linux.

Please also note that amazonlinux:latest is currently not the Amazon Linux 2 LTS Candidate. This is explicitly amazonlinux:2. At a later date when AL2 graduates from its LTS Candidate status, amazonlinux:latest will become AL2.

If you have concerns about specific vulnerabilities, you can reach out here, the forums, or to AWS Support.

Iliana
Amazon Linux

  • 👍2