-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
All official ruby images contain critical security issues #117
Comments
are there plans to fix this? |
The discussion about the We just ran a quick scan with |
If the exploits have been made public, then it means the fixes have also been made public. These images should compile the affected packages from source, with patches applied if necessary in order to get versions of the packages that do not have known security flaws. Waiting for Debian to add the updated packages to their repository is irresponsible. |
@mrfelton there are a lot of assumptions baked into your statement. In particular, you're assuming that just because the exploits have been made public that fixes have also been made public. There's no guarantee that that's true and you seem to just be making a blanket statement. Beyond that, you're also assuming that these fixes exist in the form of ready-made patches that could easily be applied. If this were the case, then pushing Debian to include those patches would be the more responsible thing to do. If that's not the case, then there is a significant risk that comes with the Docker official image maintainers attempting to adapt any possible fixes themselves to software with which they are likely not familiar. |
@md5 my bad, I should have been more clear in my statement, which was meant to suggest that where there are known fixes for known exploits these should be incorporated where possible.
I know for example that there are fixes available for many of the affected packages either in Edge (for Alpine), or upstream in the project's latest official release or github master branches.
That's a fair point, although since these docker images are listed as 'official' it still seems wrong to be making them available with known vulnerabilities where fixes are readily available. The Debian, Alpine, or maintainers of other distributions have their own priorities and I suspect that in many cases it would serve the users of these docker images better to be proactive and not wait for those teams to get their act together in order to patch security holes. |
Changed Nagel to Hough. Fixes docker-library#117 Closes docker-library#117 See merge request static-websites/techrangers-website!135
See https://hub.docker.com/r/library/ruby/tags/
The text was updated successfully, but these errors were encountered: