Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23840 still in recent Debian Buster based Python images #580

Closed
ahaerpfer opened this issue Feb 20, 2021 · 2 comments
Closed

CVE-2021-23840 still in recent Debian Buster based Python images #580

ahaerpfer opened this issue Feb 20, 2021 · 2 comments

Comments

@ahaerpfer
Copy link

Is it possible that the most recent builds for the Debian Buster based images were built from an outdated Debian package cache? Dockerfiles for the 3.8 and 3.9 versions were updated on Feb. 19 (c285e28, 91cbd74), but the corresponding images on Dockerhub still contain the vulbnerable openssl 1.1.1d-0+deb10u4.

On the other hand the Debian Security Tracker lists this vulnerability as fixed with the updated openssl 1.1.1d-0+deb10u5 being available since Feb. 17 (DSA-4855-1), i.e. two days earlier!

When I build a python:3.9-slim image from the Dockerfile in this repo myself (today, i.e. Feb 20), I get the updated package.

See also #578.
@ahaerpfer ahaerpfer changed the title CVE-2021-23840 still in recent Debian Buster images CVE-2021-23840 still in recent Debian Buster based Python images Feb 20, 2021
@wglambert
Copy link

Looks like the recent security update just missed it docker-library/official-images#9658

But there's another PR up docker-library/official-images#9670

@yosifkit
Copy link
Member

Unfortunately, docker-library/official-images#9670 is not going to have an effect, since it only changes the pip installation. That happens after the installation of python and the builds make heavy use of Docker build cache, so the earlier layers will be unchanged when the images are built.

Since this likely affects more than just the python images, our usual path would be to rebuild the base image (debian) and then all dependent official-images would be rebuilt and benefit.

From https://github.com/docker-library/faq/tree/0fd4aeb047fc37ed37bd9991cae479140450ae65#why-does-my-security-scanner-show-that-an-image-has-cves:

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. [...] These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

Last Debian update was docker-library/official-images#9590, so the usual 30-day cadence would still be over two weeks away. @tianon, of the three CVE's in the OpenSSL Security Advisory, CVE-2021-23841 is marked as "Moderate" with the other two being "Low". As another point of reference, Red Hat does not have fixes available: https://access.redhat.com/security/cve/CVE-2021-23841.

@tianon tianon closed this as completed Apr 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tianon @yosifkit @ahaerpfer @wglambert