CVE-2019-20367
scriptmonkey opened this issue · 2 comments
Hello all,
Our scanning found that the latest update did not contain the most up to date version of fixed libbsd. If I do a dpkg --list libbsd0, you will see the following output:
ii libbsd0:amd64 0.9.1-2 amd64 utility functions from BSD systems - shared library
It appears to be addressed in 8-jdk-buster. If I rebuild the container and issue the same command, you will see:
ii libbsd0:amd64 0.9.1-2+deb10u1 amd64 utility functions from BSD systems - shared library
Here is a link to more information.
Both OpenJDK and Tomcat had commits 21 days ago, so it appears that it could be a timing issue.
Would it be possible to rebuild the containers for the latest versions of Tomcat?
Which version in particular doesn't have libbsd0 at 0.9.1-2+deb10u1? You may have to re-pull the tomcat variant to get the latest version
$ docker run --rm tomcat:10-jdk8-openjdk-buster dpkg -l libbsd0
Unable to find image 'tomcat:10-jdk8-openjdk-buster' locally
10-jdk8-openjdk-buster: Pulling from library/tomcat
004f1eed87df: Pull complete
5d6f1e8117db: Pull complete
48c2faf66abe: Pull complete
234b70d0479d: Pull complete
d7eb6c022a4e: Pull complete
347c03cf94f8: Pull complete
914dd506c750: Pull complete
5a0823e5f9a5: Pull complete
82f3da1523ea: Pull complete
f478fd6b7941: Pull complete
Digest: sha256:b52ffabf2e404eaf020fcd852f3bc835d63fa560e7c82b5b77513cdd8c620316
Status: Downloaded newer image for tomcat:10-jdk8-openjdk-buster
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-===================================================
ii libbsd0:amd64 0.9.1-2+deb10u1 amd64 utility functions from BSD systems - shared library
$ docker run --rm tomcat:latest dpkg -l libbsd0
Unable to find image 'tomcat:latest' locally
latest: Pulling from library/tomcat
004f1eed87df: Already exists
5d6f1e8117db: Already exists
48c2faf66abe: Already exists
234b70d0479d: Already exists
d7eb6c022a4e: Already exists
6c215442f70b: Pull complete
355e8215390f: Pull complete
582b6bcc359f: Pull complete
e675386cb4e3: Pull complete
7d672096d1e3: Pull complete
Digest: sha256:3911564d7bc01680c221d2c53e98fe1ed7a33a20fdfc8205cdbdbff84960a679
Status: Downloaded newer image for tomcat:latest
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-===================================================
ii libbsd0:amd64 0.9.1-2+deb10u1 amd64 utility functions from BSD systems - shared libraryDebian base image updates were merged in docker-library/official-images#9878 and so every dependent image has been rebuilding over the past few days.