Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical CVE in distroless python3 #1003

Open
stjasink opened this issue Mar 30, 2022 · 2 comments
Open

Critical CVE in distroless python3 #1003

stjasink opened this issue Mar 30, 2022 · 2 comments

Comments

@stjasink
Copy link

stjasink commented Mar 30, 2022

The version of python included in the distroless python3 image is 3.9.2 which is quite old now and contains a critical CVE. Reported by a trivy scan:

2022-03-30T13:58:56.875+0100	INFO	Detected OS: debian
2022-03-30T13:58:56.875+0100	INFO	Detecting Debian vulnerabilities...
2022-03-30T13:58:56.884+0100	INFO	Number of language-specific files: 0

gcr.io/distroless/python3-debian11:latest (debian 11.3)
=======================================================
Total: 1 (CRITICAL: 1)

+----------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libpython3.9-minimal | CVE-2021-29921   | CRITICAL | 3.9.2-1           |               | python-ipaddress: Improper input      |
|                      |                  |          |                   |               | validation of octal strings           |
|                      |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-29921 |
+----------------------+------------------+----------+-------------------+---------------+---------------------------------------+

This is fixed in Python 3.9.5 and later: https://nvd.nist.gov/vuln/detail/CVE-2021-29921

Could the version of Python in the distroless-python3 image be updated please?

@stjasink stjasink changed the title Critical CVE in distroless-python3 Critical CVE in distroless python3 Mar 30, 2022
@loosebazooka
Copy link
Member

There doesn't appear to be a fixed version in debian upstream. A fix will be applied when it is available.

@stjasink
Copy link
Author

Ah thanks. I should have realised that from the "FIXED VERSION" box being empty in the trivy report rather than just checking later versions elsewhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants