Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The versions of Python 2 in the build pack-deps:buster-scm include a vulnerability (CVE-2020-8492) #109

Closed
easco opened this issue Jul 2, 2020 · 1 comment
Closed

The versions of Python 2 in the build pack-deps:buster-scm include a vulnerability (CVE-2020-8492) #109

easco opened this issue Jul 2, 2020 · 1 comment
Labels
question

Comments

@easco
Copy link

easco commented Jul 2, 2020

I attempted to bring the Elixir 10.3 image into our internal repo. Our mechanism does a scan for vulnerabilities and my request was rejected because of the version of Python 2 that appears to originate from the buildpack-deps:buster-scm image. The CVE that caused the rejection was CVE-2020-8492 with the description:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.. Impacted Image File(s): /usr/lib/python3.7/urllib/request.py

I note the image includes Python 2.7.16
@easco easco mentioned this issue Jul 2, 2020
Open
@wglambert
Copy link

https://security-tracker.debian.org/tracker/CVE-2020-8492 Buster is unfixed so there's nothing actionable for us to do, upstream also considers it a minor issue

$ docker run -it --rm buildpack-deps:buster-scm bash

root@9d2bd1850a11:/# apt update       
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7905 kB]
Get:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [208 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8360 kB in 3s (3054 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, #46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@easco @wglambert