High Vulnerabilities in minideb-extras-base
zulrang opened this issue · 10 comments
I would've submitted this in the bitnami/minideb-extras-base repo, but I noticed there are no issues at all there.
The minideb-extras-base:latest is based upon bitnami/minideb@sha256:0c81ebe883191a47be826564fb171d22ba8b073db00e37174109f560dccd9894 which has multiple High vulnerabilities listed below. Other Bitnami images (such as kafka and zookeeper) use it as a base, so the vulnerabilities propagate.
The binami/minideb:latest does not have these vulnerabilities. It would be nice if these images were rebuilt with it instead.
High CVE-2019-12900 bzip2 1.0.6-8.1 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has ...
High CVE-2018-1000001 glibc 2.24-11+deb9u4 In glibc 2.26 and earlier there is confusion in the...
High CVE-2018-6485 glibc 2.24-11+deb9u4 An integer overflow in the implementation of the...
High CVE-2017-12424 shadow 1:4.4-4.1 In shadow before 4.5, the newusers tool could be...
High CVE-2018-6551 glibc 2.24-11+deb9u4 The malloc implementation in the GNU C Library (aka...
High CVE-2019-9169 glibc 2.24-11+deb9u4 In the GNU C Library (aka glibc or libc6) through...
High CVE-2016-2779 util-linux 2.29.2-1+deb9u1 runuser in util-linux allows local users to escape to...
Hi @zulrang
The issue is minideb:latest is pointing to the latest version 10 (buster) and the Bitnami containers catalog (and minideb-extras-base) continues using Debian 9 (Stretch). You can see those issues are not fixed for version 9 by Debian but they have been fixed for version 8 or 10 e.g. https://security-tracker.debian.org/tracker/CVE-2018-6551 On the other hand, there will be vulnerabilities that will affect only Debian 10 and not 9. We plan to work on supporting the new Debian version 10 for the Bitnami catalog in the next months.
Thanks for the response. I feel like I understand the process better now.
Are the images for 8 still available?
Minideb & minideb-extras for Debian 8 (Jessie) are being built on a daily basis. The bitnami catalog is using Debian 9 (Stretch) right now but you can find old images of those containers in Docker Hub that use Debian 8. Not sure if that answer your question or if that is what you are looking for.
That answers my question. I found the images you're referring to, and note that they are quite old.
For now I'll just have to write a POAM and wait until the catalog is updated to Buster.
Thanks for answering my questions!
@beltran-rubo can you give us some insights regarding when the newer Debian version 10 will be available/used by the Bitnami catalog?
We do not have a specific ETA right now but we plan to work on this beginning next year (Jan-Feb). Is there any reason why you need Debian 10 instead of Debian 9? We would like to understand if there is any technical issue or any specific feature you are looking for.
Speaking for myself, the feature we're looking for is "not having High CVE vulnerabilities" which won't be fixed in Debian 9.
Speaking for myself, the feature we're looking for is "not having High CVE vulnerabilities" which won't be fixed in Debian 9.
Hi,
Are you talking about specific vulnerabilities, or the general security update policy for debian oldstable?
Thanks,
James
There's a list of them, right there in the OP.
Hi,
minideb-extras-base is now deprecated, so this doesn't directly apply. I believe that the
images that used to be built on it will now have upgraded packages when they are built.
I am therefore closing this.
Thanks,
James