Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-45960 vulnerability in python 3.9-slim #699

Closed
roryjbd opened this issue Feb 15, 2022 · 6 comments
Closed

CVE-2021-45960 vulnerability in python 3.9-slim #699

roryjbd opened this issue Feb 15, 2022 · 6 comments

Comments

@roryjbd
Copy link

roryjbd commented Feb 15, 2022

Images with python 3.9-slim (dfcf03d7f1eb) have a version of expat (2.2.10) that is identified as a critical vulnerability when scanned with GCP On Demand Scanning API.
@gabsima-optel
Copy link

This also affects

  • 3.8-slim-buster
  • 3.8-buster
  • 3.8-bullseye
  • 3.8-slim

@emojean1
Copy link

Same here, in python3.8-slim identified by GCP On Demand API
here is more details output from GCP

Information
Debian
CVE-2021-45960

Details
Version: 2.2.10 2
Affected location: cpe:/o:debian:debian_linux:11
Package: expat
Package type: OS
Long description: NIST vectors: AV:N/AC:L/Au:S/C:C/I:C/A:C
Effective Severity: Critical
CVSS: 9

Fixed in : 2.2.10 2+deb11u1

@emojean1
Copy link

@roryjbd
this progress might interest you
3.8 -> python/cpython#31297
3.9 -> python/cpython#31295

@yosifkit
Copy link
Member

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Although an updated package is now available in Debian, since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

The last Debian update was docker-library/official-images#11739 (21 days ago), so the next one is not due for about 9 days. So the Debian-based python images will get a rebuild then. If you "need" updates earlier, you can always apt-get update && apt-get upgrade -y in your image, but the python images will probably be updated within about 2 weeks.

@roryjbd
Copy link
Author

roryjbd commented Feb 16, 2022

Thanks, running apt-get update && apt-get upgrade -y updates libexpat and allows the image to pass the scanning step

This was referenced Feb 25, 2022
Closed
Closed
Closed
@tianon
Copy link
Member

tianon commented Mar 1, 2022

Fixed via docker-library/official-images#11942

@tianon tianon closed this as completed Mar 1, 2022
@yosifkit yosifkit mentioned this issue Mar 12, 2022
Closed
@wglambert wglambert mentioned this issue Mar 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tianon @yosifkit @emojean1 @roryjbd @gabsima-optel