-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security]: Trivy reports several low-level CVE's from the base linux images #275
Comments
This is related to #267. Since those Low CVEs are in the base image we consume there will be some framework we'll adhere to in terms of container health. As to what it will be remains to be seen. |
now it also has critical vulnerabilities for CVE-2022-40674. |
Vote up to fix CVE-2022-40674 |
These are being respun by DockerHub folks at DockerHub. |
Upvote for this issue: Temurin images based on Ubuntu Jammy are now also vulnerable to Openssl 3.0 high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786 💣 (USN-5710-1) |
To follow up, I just noticed that latest images (8, 11 and 17) have been rebuilt yesterday and are no more vulnerable to vulnerabilities mentioned here (including Openssl ones). I think we can close this issue 🎉 . |
Please add the exact image (with tag) that you are using
eclipse-temurin:8u345-b01-jre
Please add the version of Docker you are running
Docker Desktop 4.12.0 (85629)
What happened?
I'm using the Trivy vulnerability scanner extension to check my images and I notice it reports several low-prio CVEs for things such as
curl
,login
,tar
,ncurses
,passwd
.curl
is reported as coming from7.81.0-1ubuntu1.3
and fixed in7.81.0-1ubuntu1.4
, whilst the others don't list any fixes available.I understand
curl
is being removed in an upcoming release, but I'm curious as to the others, and if they're documented anywhere?Relevant log output
No response
The text was updated successfully, but these errors were encountered: