Vulnerabilities in git <2.17.1

[stouf]

NPM has reported being affected by a vulnerability in git's submodules and advised to run npm with git >= 2.17.1.
The node:10.3.0 image has git v2.1.4 installed on it.
I tried to install the latest version of git in my own Dockerfile, following the instructions given by git for the Debian distros, but it doesn't seem to work (I get a 404 HTTP status when running apt-get update; it seems there is no support for Debian on that mirror? 😕)

As users of this image, are there any recommended actions we can take to assure the security of what we run in containers based on this image?

[chorrell]

I would check your docker setup, specifically the networking, because apt-get update should work.

For instance, running this locally worked for me:

docker run -it --rm node:10.3.0 bash -c "/usr/bin/apt-get update && /usr/bin/apt-get install git -y"

[stouf]

@chorrell Thank you for your reply.
I'm sorry if my message was unclear but I was referring to running apt-get update after following the instructions given by git. So basically:

apt-get update # This one works ok
apt-get install software-properties-common # To get the add-apt-repository command
add-apt-repository ppa:git-core/ppa
apt-get update # This is the one failing.

It fails because it tries fetch information from a mirror that doesn't exist.
Others ran into that wall, here for example; I tried the solution brought up by that person, but it doesn't work for me because of some dependencies that could not be met.

Regardless, since that vulnerability has been publicly reported by NPM, I think it would be reasonable to expect this image to be built with a version of git that does not contain any known vulnerabilities. I'm wondering what you all think about it?

[chorrell]

Ah, ok. I guess they don't provide a ppa for debian jessie.

One thing to note though is that Debian has released a security update to address the submodule issue for git 2.1.4 via the 1:2.1.4-2.1+deb8u6 package:

• https://packages.debian.org/jessie/git
• https://security-tracker.debian.org/tracker/DSA-4212-1
• https://security-tracker.debian.org/tracker/CVE-2018-11235

Most distros release security patches for an existing version so in the case of Debian jessie you don't need to upgrade to 2.17.1.

The following will update git to the patched 1:2.1.4-2.1+deb8u6 package:

apt-get update && apt-get install git -y

Git is installed in the buildpack-deps:jessie image which is what our default node image is based on. We rely on upstream to update the base image to pull in security updates. They update the base images periodically -- typically monthly, see docker-library/buildpack-deps#46 (comment) -- but I don't know when they plan to roll out the next update.

[stouf]

Ah, thank you for those references. I tried and confirmed that 1:2.1.4-2.1+deb8u6 is currently available.

Also, thank you for the details about upstream. I guess it answers my question, so I'm going to close this issue 🙂
Thank you !