Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian image openssl vulnerability? #152

Closed
iainhouston opened this issue Oct 25, 2016 · 2 comments
Closed

Debian image openssl vulnerability? #152

iainhouston opened this issue Oct 25, 2016 · 2 comments

Comments

@iainhouston
Copy link

iainhouston commented Oct 25, 2016

It seems that a Dockerfile used to build an image FROM python:3.5 i.e. python:latest will be using a debian image with a vulnerable openssl.

I don't understand precisely why, as an image I built yesterday FROM debian:jessie uses the more recent openssl but an image I built today FROM python:3.5 seems to use an older one.

python:3.5 -> buildpack-deps:jessie -> buildpack-deps:jessie-scm -> buildpack-deps:jessie-curl -> debian:jessie

Is an outdated upstream debian:jessie image being inadvertently cached perhaps?

This arose from a vulnerability warning I received from a python:3.5-based image I pushed to my registry at IBM Bluemix Containers.

Security Notice: DSA-3673-2
Package : openssl
Debian Bug : 838652 838659

It was discovered that the original patch applied for CVE-2016-2182 in
DSA-3673-1 was incomplete, causing a regression when parsing
certificates. Updated packages are now available to address this
problem.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.1t-1+deb8u5.

We recommend that you upgrade your openssl packages.

@yosifkit
Copy link
Member

This was fixed with docker-library/official-images#2179. Ran a quick check and python:3.5 does contain the fixed version:

docker pull python:3.5
3.5: Pulling from library/python

43c265008fae: Pull complete 
af36d2c7a148: Pull complete 
143e9d501644: Pull complete 
f6a5aab6cd0c: Pull complete 
132c9d275259: Pull complete 
e5dbf2ccb0ad: Pull complete 
606e98dfd3f6: Pull complete 
Digest: sha256:223993aa0c52de64dbf9c7acd0b8712145d12f18466c7a3d738a7e76e4bd1c92
Status: Downloaded newer image for python:3.5
$ docker run -it --rm python:3.5 bash
root@253a43173a3c:/# dpkg --status openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 1093
Maintainer: Debian OpenSSL Team <[email protected]>
Architecture: amd64
Version: 1.0.1t-1+deb8u5
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.1k-3+deb8u3)
Suggests: ca-certificates
Conffiles:
 /etc/ssl/openssl.cnf 7df26c55291b33344dc15e3935dabaf3
Description: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
root@253a43173a3c:/# 

Perhaps you have an older python:3.5 image and need to pull a new one? Just pulling a new debian:jessie won't update your images that are from it.

@iainhouston
Copy link
Author

Oh good, that's reassuring that the official python is up-to-date .... a bit worrying, though, that it is so easy for me to have stale basis images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants