-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Base image of Dockerfile python:3.8.7-alpine3.12 contains vulnerable libraries #2466
Comments
Pull Request 2467 submitted with updated python base image. mkdocs build and mkdocs gh-deploy validated:
|
That's not really an exploit that can be taken advantage of with this image, especially in how it's used afaik? (which runs as root user anyway..) |
Fixed in 56e8162: -FROM python:3.8.7-alpine3.12
+FROM python:3.9.2-alpine3.13 |
Released as part of 7.0.7. |
@squidfunk The "fix available" label doesn't really apply to this issue? The image was updated but that didn't update to a newer package of openssh 8.5 did it? I provided details in the related PR but received no response. Technically if this vulnerability is a concern (it doesn't appear to be practical imo) and the package isn't able to be updated with the fix, this issue shouldn't be closed? |
In #2467 (comment) you wrote:
... which is why I went ahead and just updated the base image, as this was what was done in the PR. Thus I'm seeing this issue as resolved, which is indicated by the "fix available" label. If there persists to be an issue with OpenSSH, please open another pull request, and we can fix it. |
The issue is still there until updating to openssh 8.5 AFAIK, which you'll have to wait for to arrive in a newer version of Alpine. As quoted, I don't see it being practical to carry out such an attack given the exploit description and how this image is used. That doesn't mean it's not possible, I just don't think it's likely to be an actual problem. |
I've found a bug and checked that ...
Description
Docker image is currently based on python:3.8.7-alpine3.12 which contains outdated packages such as openssh 8.3_p1-r1 which suffers from CVE-2021-28041.
The text was updated successfully, but these errors were encountered: