juanluisbaptiste/docker-postfix

Security problem with Alpine

lool78 opened this issue · 2 comments

lool78 commented

Hi Juan ,

Just to let you know that the alpine 3.13.1 has a critical problem on the python (CVE-2021-3177 ).

Found using trivy :

trivy image --severity HIGH,CRITICAL juanluisbaptiste/postfix
2021-03-07T19:36:55.803+0100 WARN You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2021-03-07T19:36:57.665+0100 INFO Detecting Alpine vulnerabilities...
2021-03-07T19:36:57.666+0100 INFO Trivy skips scanning programming language libraries because no supported file was detected

juanluisbaptiste/postfix (alpine 3.13.1)

Total: 7 (HIGH: 6, CRITICAL: 1)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-23839 | HIGH | 1.1.1i-r0 | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |

  •          +------------------+          +                   +               +---------------------------------------+

| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |

  •          +------------------+          +                   +               +---------------------------------------+

| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+ + + +---------------------------------------+
| libssl1.1 | CVE-2021-23839 | | | | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |

  •          +------------------+          +                   +               +---------------------------------------+

| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |

  •          +------------------+          +                   +               +---------------------------------------+

| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| python3 | CVE-2021-3177 | CRITICAL | 3.8.7-r0 | 3.8.7-r1 | python: stack-based buffer overflow |
| | | | | | in PyCArg_repr in _ctypes/callproc.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3177 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

juanluisbaptiste commented

Hi @lool78 , thanks for the heads up, I just sent a rebuild of the image so it will now use 3.13.2 version.

juanluisbaptiste commented

New images available, closing this issue.