[bitnami/nginx] Security Vulnerabilities #7297
Comments
divya-kp-nair
added
the
tech-issues
fmulero
changed the title
|
Hi @divya-kp-nair, We use the latest release of You can check here a list of Go CVEs that do not apply to gosu, which includes all the CVEs in the above list: tianon/gosu#104 We regularly report any new vulnerability found to ensure it does not apply to |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
|
Hi, we are glad to announce that we got rid of $ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22
bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/common/bin/gosu (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH │ v1.1.0 │ v1.1.2 │ runc: incorrect handling of inheritable capabilities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29162 │
│ ├────────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-27561 │ │ │ v1.1.5 │ runc: volume mount race condition (regression of │
│ │ │ │ │ │ CVE-2019-19921) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │
│ ├────────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2022-24769 │ MEDIUM │ │ v1.1.2 │ moby: Default inheritable capabilities for linux container │
│ │ │ │ │ │ should be empty │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24769 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)VS $ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23
bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)From now on, |
Name and Version
bitnami/nginx:1.22.0-debian-11-r40
What steps will reproduce the bug?
Vulnerabilities are listed by Prismascan (Twistlock) tool
What is the expected behavior?
No critical vulnerabilities expected
What do you see instead?
Additional information
All vulnerabilities are related to go package with version 1.16.7 which I think comes from the gosu version installed via Dockerfile https://github.com/bitnami/containers/blob/main/bitnami/nginx/1.22/debian-11/Dockerfile#L39
Would it be possible to update the go package please?
The text was updated successfully, but these errors were encountered: