Latest image of aws-for-fluent-bit contains python 2.7.18 which has vulnerabilities
Closed this issue · 4 comments
Describe the question/issue
The latest version contains python 2.7.18 and not python 3.x or later as mentioned in buildspec files. This version has vulnerabilities and is flagged by our scanner. I see a change and fix for such python version fixed here :
(#98)
But somehow when I run this image and check for python version it still shows 2.7.18
Configuration
Fluent Bit Log Output
Fluent Bit Version Info
I’m using latest image that was released on 3rd oct 2024.
2.32.2.20241008
Cluster Details
Application Details
Steps to reproduce issue
- docker pull the latest image
- Run python —version
Related Issues
Thank you for also mentioning the release date. The release on the third of October was 20241003, which has an issue with a modification to the internal build setup.
Please check this on 2.32.2.20241008 (the latest version as of yesterday), it should resolve your issue.
I do not think both issues are related. However, I pulled both images and both have same python version 2.7.18
@swapneils I checked in the latest image as well. It contains same version. Can we have python version 3.9+ or 3.7+ in the image as mentioned in buildspec ? I tried forcefully removing 2.7.18, yum was broken and some libraries too have “=“ dependencies on 2.7.18 version. Force removal might break something else too.
We've looked into this further.
Amazon Linux is the one vending Python 2 here, but they also provide extended support for fixing any CVEs in the Python version vended in the image. The AL2 Python 2.7.18 is not the same as the publicly available 2.7.18.
Is there any particular CVE your scanner is detecting which AL2 does not list as fixed? If not, this shouldn't constitute a security risk.
Closing this as resolved; please re-open if you are seeing a CVE with Python 2.7.18 which AL2 has not fixed in their version of the code.