Use Debian bookworm base image instead of bullseye to decrease unfixed vulnerability count

Question

Use Debian bookworm base image instead of bullseye to decrease unfixed vulnerability count

gokhansengun opened this issue a year ago · 6 comments

What feature do you want to see added?

Debian released bookworm (version 12) on June 10, this new release fixes many CVEs that were left unfixed in bullseye.

Creating a Jenkins docker image basing debian:bullseye-20230814 results in 40 high and 5 critical CVEs unfixed (see scan results at the end). If debian:bookworm-20230818 is used, that number decreases to 9 high and 2 critical CVEs.

An example is CVE-2023-27533, this CVE was fixed in bookworm but not in bullseye.

Updating bullseye with bookworm seems to be creating no issues for image creation and in runtime, would you consider doing the change?

bookworm-base-vulns.txt
bullseye-base-vulns.txt

Upstream changes

No response

Answer 1 · 2023-08-16T21:07:24.000Z

shouldn't be an issue, the new Java 21 image is on bookworm:
#1683

Answer 2 · 2023-08-17T06:47:27.000Z

Proposal: let's implement it on the master branch to it will be available for the next weekly release in any case.

We'll have to be clear in the changelog that the base image changes : it is a breaking change for users building on top of it.

For LTS version, should we wait for next week or for the next one? (cc @MarkEWaite @timja @NotMyFault @Poddingue )

Answer 3 · 2023-08-17T07:29:56.000Z

We should aim to get it this week / next week before the LTS release.

If we get it in before .1 that would be best

Answer 4 · 2023-08-17T08:20:21.000Z

cc @kmartens27 FYI for changelog

Answer 5 · 2023-08-17T13:08:15.000Z

thanks @timja, I'll be sure to add it to the changelog accordingly

Answer 6 · 2023-08-17T13:09:19.000Z

it'll be in weekly and LTS