trivy security alert
oupala opened this issue · 3 comments
oupala commented
Trivy audit is reporting some security alerts:
Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 8, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450 │ HIGH │ 1.1.1n-r0 │ 1.1.1t-r0 │ openssl: double free after calling PEM_read_bio_ex │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ openssl: use-after-free following BIO_new_NDEF │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ │ openssl: X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0464 │ │ │ 1.1.1t-r2 │ openssl: Denial of service by excessive resource usage in │
│ │ │ │ │ │ verifying X509 policy... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0464 │
│ ├────────────────┼──────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2097 │ MEDIUM │ │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4304 │ │ │ 1.1.1t-r0 │ openssl: timing attack in RSA Decryption implementation │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4304 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0465 │ │ │ 1.1.1t-r3 │ openssl: Invalid certificate policies in leaf certificates │
│ │ │ │ │ │ are silently ignored │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0465 │
├──────────────┼────────────────┼──────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-4450 │ HIGH │ │ 1.1.1t-r0 │ openssl: double free after calling PEM_read_bio_ex │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ openssl: use-after-free following BIO_new_NDEF │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ │ openssl: X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0464 │ │ │ 1.1.1t-r2 │ openssl: Denial of service by excessive resource usage in │
│ │ │ │ │ │ verifying X509 policy... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0464 │
│ ├────────────────┼──────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2097 │ MEDIUM │ │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4304 │ │ │ 1.1.1t-r0 │ openssl: timing attack in RSA Decryption implementation │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4304 │
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0465 │ │ │ 1.1.1t-r3 │ openssl: Invalid certificate policies in leaf certificates │
│ │ │ │ │ │ are silently ignored │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0465 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r0 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │
│ │ │ │ │ │ in inflate.c via a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
You should probably update your base image from alpine:3.15 to alpine:3.17.
camathieu commented
Done
oupala commented
As the commit has been merged to master, do you plan to publish a new release of the Docker image un Docker Hub?
In Docker Hub, the dev tag is 5 days old, but the lastest and 1.3.6 tags are a year old. I think that there should be a new 1.3.7 tag, or a 1.4 tag, or a 2 tag...
camathieu commented
Next version will be 1.3.7 in the mean time dev is built on master head.
…On Mon, Apr 24, 2023 at 12:38 PM oupala ***@***.***> wrote:
As the commit has been merged to master, do you plan to publish a new
release of the Docker image un Docker Hub?
In Docker Hub, the dev tag is 5 days old, but the lastest and 1.3.6 tags
are a year old. I think that there should be a new 1.3.7 tag, or a 1.4
tag, or a 2 tag...
—
Reply to this email directly, view it on GitHub
<#473 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABQ5XPSXC3IDK65RP6PX2ATXCZJZ3ANCNFSM6AAAAAAW3PGOGU>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>