-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian image openssl vulnerability? #152
Comments
This was fixed with docker-library/official-images#2179. Ran a quick check and docker pull python:3.5
3.5: Pulling from library/python
43c265008fae: Pull complete
af36d2c7a148: Pull complete
143e9d501644: Pull complete
f6a5aab6cd0c: Pull complete
132c9d275259: Pull complete
e5dbf2ccb0ad: Pull complete
606e98dfd3f6: Pull complete
Digest: sha256:223993aa0c52de64dbf9c7acd0b8712145d12f18466c7a3d738a7e76e4bd1c92
Status: Downloaded newer image for python:3.5
$ docker run -it --rm python:3.5 bash
root@253a43173a3c:/# dpkg --status openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 1093
Maintainer: Debian OpenSSL Team <[email protected]>
Architecture: amd64
Version: 1.0.1t-1+deb8u5
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.1k-3+deb8u3)
Suggests: ca-certificates
Conffiles:
/etc/ssl/openssl.cnf 7df26c55291b33344dc15e3935dabaf3
Description: Secure Sockets Layer toolkit - cryptographic utility
This package is part of the OpenSSL project's implementation of the SSL
and TLS cryptographic protocols for secure communication over the
Internet.
.
It contains the general-purpose command line binary /usr/bin/openssl,
useful for cryptographic operations such as:
* creating RSA, DH, and DSA key parameters;
* creating X.509 certificates, CSRs, and CRLs;
* calculating message digests;
* encrypting and decrypting with ciphers;
* testing SSL/TLS clients and servers;
* handling S/MIME signed or encrypted mail.
root@253a43173a3c:/# Perhaps you have an older |
Oh good, that's reassuring that the official python is up-to-date .... a bit worrying, though, that it is so easy for me to have stale basis images. |
It seems that a Dockerfile used to build an image
FROM python:3.5
i.e.python:latest
will be using a debian image with a vulnerableopenssl
.I don't understand precisely why, as an image I built yesterday
FROM debian:jessie
uses the more recentopenssl
but an image I built todayFROM python:3.5
seems to use an older one.python:3.5 -> buildpack-deps:jessie -> buildpack-deps:jessie-scm -> buildpack-deps:jessie-curl -> debian:jessie
Is an outdated upstream
debian:jessie
image being inadvertently cached perhaps?This arose from a vulnerability warning I received from a
python:3.5
-based image I pushed to my registry at IBM Bluemix Containers.The text was updated successfully, but these errors were encountered: