curl is vulnerable in the latest alpine docker image #1302

goffinf · 2019-11-06T17:54:33Z

Docker image version: hashicorp/consul-template:0.22.0-alpine

Show vulnerabilities in curl to 2 CVEs (see below).

Any chance of a rebuild and publish to DockerHub to pick up the latest curl version from apk ?

Resource:
curl
Description:
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
Fix Version:
None
Aqua Score:
7.5 High
NVD Score (CVSS v2)
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
NVD Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5481
Vendor Score (CVSS v2)
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Resource
curl
Description:
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
Fix Version:
None
Aqua Score:
7.5 High
NVD Score (CVSS v2)
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
NVD Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5482
Vendor Score (CVSS v2)
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

The text was updated successfully, but these errors were encountered:

eikenb · 2019-11-08T20:45:46Z

Just released 0.22.1, which fixes this.

eikenb added bug security Security related issue labels Nov 6, 2019

eikenb added this to the 0.22.1 milestone Nov 8, 2019

eikenb closed this as completed Nov 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

curl is vulnerable in the latest alpine docker image #1302

curl is vulnerable in the latest alpine docker image #1302

goffinf commented Nov 6, 2019

eikenb commented Nov 8, 2019

curl is vulnerable in the latest alpine docker image #1302

curl is vulnerable in the latest alpine docker image #1302

Comments

goffinf commented Nov 6, 2019

eikenb commented Nov 8, 2019