Release schedule for Debian security upgrades

[nemobis]

How often are Debian-based official images updated to pick up security releases? Quite often I see official images which are several weeks out of date. It would be nice to have images refreshed once a new Debian security update is released, let's say within 24 hours.

We mirror the official images internally in our own registry, but trivy often detects vulnerable versions. For example right now the node:slim image is 17 days old and ships a vulnerable version of openssl which was upgraded 10 days ago:

[2023-05-31] Accepted openssl 1.1.1n-0+deb11u5 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Andrzej Siewior)

So vulnerability scanners (including Docker Hub's own!) complain about CVE-2023-0464:

2023-06-09T08:19:33.747Z	INFO	Detecting node-pkg vulnerabilities...
node:20-bullseye-slim.tar (debian 11.7)
=======================================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌───────────┬───────────────┬──────────┬───────────────────┬──────────────────┬────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability │ Severity │ Installed Version │  Fixed Version   │                           Title                            │
├───────────┼───────────────┼──────────┼───────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2023-0464 │ HIGH     │ 1.1.1n-0+deb11u4  │ 1.1.1n-0+deb11u5 │ Denial of service by excessive resource usage in verifying │
│           │               │          │                   │                  │ X509 policy constraints...                                 │
│           │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│           ├───────────────┤          │                   │                  ├────────────────────────────────────────────────────────────┤
│           │ CVE-2023-2650 │          │                   │                  │ Possible DoS translating ASN.1 object identifiers          │
│           │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-2650                  │
└───────────┴───────────────┴──────────┴───────────────────┴──────────────────┴────────────────────────────────────────────────────────────┘

[yosifkit]

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. #2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

- https://github.com/docker-library/faq/tree/da53abbaf0ed592989e5f8b50adcbd062582033d#why-does-my-security-scanner-show-that-an-image-has-cves

As for those particular openssl cves, see debuerreotype/docker-debian-artifacts#195 (comment).

[nemobis]

Il 09/06/23 19:25, yosifkit ha scritto:

As for those particular openssl cves, seehttps://github.com/debuerreotype/docker-debian-artifacts/issues/195#issuecomment-1577155071.

Thank you! It's nice to see the update was given careful consideration. From that «I'd rather not update the images two weeks in a row and cause extra churn for users», I gather that updating images less than 14 days apart is considered unusual. At what point would churn no longer be a worry? 3 weeks, 4 weeks? Knowing what pace to expect from the official images, it's easier to plan for other ways to pick up the Debian upgrades faster than that where needed.

[tianon]

The downstream rebuild effect when we update is pretty immense, so we try to stick to roughly three weeks barring unusual events like severe CVEs or distro-level releases. There should be an update today (assuming no serious hiccups in the rebuild).