redis/docker-library-redis

5.0.6-alpine CVE-2018-1000500 (Improper Handling of Exceptional Conditions)

esn89 opened this issue · 1 comments

esn89 commented

There is a high vulnerability discovered here:
https://snyk.io/test/docker/redis%3A5.0.6-alpine#SNYK-ALPINE310-BUSYBOX-1090151

can this be patched for those who are using this image?

yosifkit commented
  1. 5.0.x is end of life; it is not being updated anymore: #333
  2. if you really need 5.0.x then it should probably at least be the latest version of it, 5.0.14.
  3. 5.0.6-alpine is based on Alpine 3.10 and is over 4 years old, but it already has the fixed version for CVE-2018-1000500 (https://gitlab.alpinelinux.org/alpine/aports/-/blob/3.10-stable/main/busybox/APKBUILD#L61):
$ docker run -it --rm redis:5.0.6-alpine sh
Unable to find image 'redis:5.0.6-alpine' locally
5.0.6-alpine: Pulling from library/redis
89d9c30c1d48: Pull complete
b2eb22a0b7db: Pull complete
c5ccbdf10203: Pull complete
29dc5d38440e: Pull complete
a9bfccb1acb4: Pull complete
ae61c5711cf8: Pull complete
Digest: sha256:27e139dd0476133961d36e5abdbbb9edf9f596f80cc2f9c2e8f37b20b91d610d
Status: Downloaded newer image for redis:5.0.6-alpine
/data # apk info busybox
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.d8b2a6f4.tar.gz: No such file or directory
busybox-1.30.1-r2 description:
Size optimized toolbox of many common UNIX utilities

busybox-1.30.1-r2 webpage:
https://busybox.net/

busybox-1.30.1-r2 installed size:
942080

/data #

If there are Alpine package updates available, then an apk upgrade --no-cache in your own image would give you the most up-to-date packages.