Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker: Updates dependencies to remove vulnerabilities #53

Merged
merged 1 commit into from
Nov 18, 2019
Merged

Docker: Updates dependencies to remove vulnerabilities #53

merged 1 commit into from
Nov 18, 2019

Conversation

marefr
Copy link
Member

@marefr marefr commented Nov 18, 2019

Before update:

> docker run --rm -v $HOME/.cache:/root/.cache/ aquasec/trivy --clear-cache grafana/grafana-image-renderer:latest                                                                                                                             
2019-11-18T22:24:46.663Z        INFO    Removing image caches...                                                                                                                                                                              
2019-11-18T22:24:46.668Z        INFO    Updating vulnerability database...                                                                                                                                                                    
2019-11-18T22:25:04.827Z        INFO    Detecting Alpine vulnerabilities...                                                                                                                                                                   
2019-11-18T22:25:04.834Z        INFO    Updating yarn Security DB...                                                                                                                                                                          
2019-11-18T22:25:06.067Z        INFO    Detecting yarn vulnerabilities...                                                                                                                                                                     

grafana/grafana-image-renderer:latest (alpine 3.9.4)
====================================================
Total: 12 (UNKNOWN: 0, LOW: 2, MEDIUM: 6, HIGH: 4, CRITICAL: 0)

+----------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| curl     | CVE-2019-5482    | HIGH     | 7.64.0-r2         | 7.64.0-r3     | curl: heap buffer overflow in  |
|          |                  |          |                   |               | function tftp_receive_packet() |
+          +------------------+          +                   +               +--------------------------------+
|          | CVE-2019-5481    |          |                   |               | curl: double free due to       |
|          |                  |          |                   |               | subsequent call of realloc()   |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| expat    | CVE-2019-15903   | MEDIUM   | 2.2.7-r0          | 2.2.7-r1      | expat: heap-based buffer       |
|          |                  |          |                   |               | over-read via crafted XML      |
|          |                  |          |                   |               | input                          |
+----------+------------------+          +-------------------+---------------+--------------------------------+
| libxslt  | CVE-2019-18197   |          | 1.1.33-r1         | 1.1.33-r2     | libxslt: use after             |
|          |                  |          |                   |               | free in xsltCopyText in        |
|          |                  |          |                   |               | transform.c leads to password  |
|          |                  |          |                   |               | disclosure...                  |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| nghttp2  | CVE-2019-9511    | HIGH     | 1.35.1-r0         | 1.35.1-r1     | HTTP/2: large amount of data   |
|          |                  |          |                   |               | requests leads to denial of    |
|          |                  |          |                   |               | service                        |
+          +------------------+          +                   +               +--------------------------------+
|          | CVE-2019-9513    |          |                   |               | HTTP/2: flood using PRIORITY   |
|          |                  |          |                   |               | frames results in excessive    |
|          |                  |          |                   |               | resource consumption           |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| openldap | CVE-2019-13565   | MEDIUM   | 2.4.47-r2         | 2.4.48-r0     | openldap: ACL restrictions     |
|          |                  |          |                   |               | bypass due to sasl_ssf value   |
|          |                  |          |                   |               | being set permanently          |
+          +------------------+----------+                   +               +--------------------------------+
|          | CVE-2019-13057   | LOW      |                   |               | openldap: Information          |
|          |                  |          |                   |               | disclosure issue in slapd      |
|          |                  |          |                   |               | component                      |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl  | CVE-2019-1549    | MEDIUM   | 1.1.1c-r1         | 1.1.1d-r0     | openssl: information           |
|          |                  |          |                   |               | disclosure in fork()           |
+          +------------------+          +                   +               +--------------------------------+
|          | CVE-2019-1563    |          |                   |               | openssl: information           |
|          |                  |          |                   |               | disclosure in PKCS7_dataDecode |
|          |                  |          |                   |               | and CMS_decrypt_set1_pkey      |
+          +------------------+----------+                   +               +--------------------------------+
|          | CVE-2019-1547    | LOW      |                   |               | openssl: side-channel weak     |
|          |                  |          |                   |               | encryption vulnerability       |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| tiff     | CVE-2019-10927   | MEDIUM   | 4.0.10-r1         | 4.0.10-r2     | A vulnerability has been       |
|          |                  |          |                   |               | identified in SCALANCE SC-600  |
|          |                  |          |                   |               | (V2.0), SCALANCE XB-200        |
|          |                  |          |                   |               | (V4.1),...                     |
+----------+------------------+----------+-------------------+---------------+--------------------------------+

After update:

> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.cache:/root/.cache/ aquasec/trivy --clear-cache grafana/grafana-image-renderer:dev                                   
2019-11-18T22:15:10.200Z        INFO    Removing image caches...                                                                                                                              
2019-11-18T22:15:10.262Z        INFO    Updating vulnerability database...                                                                                                                    
2019-11-18T22:15:18.926Z        INFO    Detecting Alpine vulnerabilities...                                                                                                                   
                                                                                                                                                                                              
grafana/grafana-image-renderer:dev (alpine 3.9.4)                                                                                                                                             
=================================================                                                                                                                                             
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@marefr marefr changed the title Docker: Updates dependencies remove vulnerabilities Docker: Updates dependencies to remove vulnerabilities Nov 18, 2019
@marefr marefr merged commit fc239d0 into master Nov 18, 2019
@marefr marefr deleted the docker_update branch November 18, 2019 22:29
@mattes
Copy link

mattes commented Nov 20, 2019

What's nghttp2 and openldap being used for in this container? Why not just remove it?

@marefr
Copy link
Member Author

marefr commented Nov 21, 2019

@mattes good question. Thought they were builtin to Alpine 3.10, but will investigate.

@marefr marefr mentioned this pull request Nov 21, 2019
Merged
marefr added a commit that referenced this pull request Nov 21, 2019
@marefr
Docker: Fix Dockerfile (#55)
f468848 
Based on #53 (comment) cleaning up the Dockerfile.
@jeteon jeteon mentioned this pull request Dec 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marefr @mattes