drupal:9.4-php8.1-apache-buster comes with apache version Apache/2.4.38 (Debian) which has Security issue.
Oleksii909 opened this issue · 5 comments
Also, there could be other issues with the composer e.t.c
I would propose adding to Dockerfile additional instructions to fetch the proper version not less then 2.4.53 of apache first.
I'm sure for new cores (9.4+) it should be bullseye as buster has more outdated packages, at least webp and avif image support is totally broken in previous releases
Please remember that Debian (and other distros) do backport security fixes to older versions as part of their stability and security process.
Looking at the latest image the version of the Apache package installed is 2.4.38-3+deb10u8 which is reported to includes fixes for CVE-2022-31813
https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.38-3+deb10u8_changelog
Thank you @cmlara for writing that. It is helpful information.
-
I was able to see that this specific Security issue GHSA-4xc6-mgv4-5v44 which related to the current:GitHub:issue 231
-
I don't quite get the meaning of the notice in the Dockerfile see the screenshot below:
-
I hope that we can invest time to get a properly generated drupal:9.4-php8.1-apache-buster Dockerfile that would be applied on all user's websites that will use it in their projects including also those who will redeploy their infrastructure.
-
Q1: If there is some workaround on how to generate Docker images that contain contributions listed in this url from Debian.org and listed in List 1, then I would like to ask you to share this workaround to opensource. I think we should have some shell script that will generate a Docker file with fixes for all issues referenced in some way.
Because the issue with apache2 (CVE-2022-31813)[https://github.com/advisories/GHSA-4xc6-mgv4-5v44] is only one of the issues reported in the current:GitHub:issue 231 -
Q2: Could you please share how did you get a link to the changelog related to the Security issue CVE-2022-31813 i mean this link: https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.38-3+deb10u8_changelog
List-1
[CVE-2020-35572 CVE-2021-29625]
[CVE-2021-21311]
[CVE-2022-22719]
[CVE-2022-22720]
[CVE-2022-22721]
[CVE-2022-23943]
[CVE-2022-26377]
[CVE-2022-28614 CVE-2022-28615]
[CVE-2022-29404]
[CVE-2022-30556]
[CVE-2022-31813]
[CVE-2022-20770 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 CVE-2022-20796]
[CVE-2022-24828]
[CVE-2019-12953]
[CVE-2021-0561]
[CVE-2019-13456]
[CVE-2019-17185]
[CVE-2022-27404]
[CVE-2022-27405 CVE-2022-27406]
[CVE-2022-25308 CVE-2022-25309]
[CVE-2022-25310]
[CVE-2021-45909 CVE-2021-45910 CVE-2021-45911]
[CVE-2020-7711]
[CVE-2022-24191]
[CVE-2022-27114]
[CVE-2022-28085]
[CVE-2021-3657]
[CVE-2019-14857]
[CVE-2022-26505]
[CVE-2022-1328]
[CVE-2022-29078]
[CVE-2021-44906]
[CVE-2022-24771 CVE-2022-24772 CVE-2022-24773]
[CVE-2022-28181 CVE-2022-28185]
[CVE-2022-31607 CVE-2022-31608 CVE-2022-31615]
[CVE-2019-17134]
[CVE-2022-24775]
[CVE-2021-35525]
[CVE-2021-41125]
[CVE-2022-0577]
[CVE-2015-9541]
[CVE-2019-15605]
[CVE-2019-12387]
[CVE-2019-12855]
[CVE-2020-10108 CVE-2020-10109 CVE-2022-24801]
[CVE-2022-21712]
[CVE-2022-21716]
[CVE-2022-30333]
[CVE-2021-22191]
[CVE-2021-4181 CVE-2021-4184 CVE-2021-4185 CVE-2022-0581 CVE-2022-0582 CVE-2022-0583 CVE-2022-0585 CVE-2022-0586]
Currently, most packages are as up-to-date as they can be. Any that are not will be updated next time we do a debian base image update. The update is likely very soon judging by the cadence of the past PRs: https://github.com/docker-library/official-images/pulls?q=is%3Apr+label%3Alibrary%2Fdebian.
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.
Thank you @yosifkit for the explanation.