Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability: CVE-2021-3973, Vim #1408

Closed
Tracked by #1409
lsloan opened this issue Aug 26, 2022 · 3 comments · Fixed by #1412
Closed
Tracked by #1409

Vulnerability: CVE-2021-3973, Vim #1408

lsloan opened this issue Aug 26, 2022 · 3 comments · Fixed by #1412
Assignees
@lsloan
Labels
⚠️ priority ☠ vulnerability
Projects
MyLA-2022.01.03

Comments

@lsloan
Copy link
Member

lsloan commented Aug 26, 2022

From vulnerabilities spreadsheet, based on Unizin analysis:

CVE ID Effective Severity Severity Impacted Image Vulnerable Package Remediated Package URL
CVE-2021-3973 CRITICAL CRITICAL gcr.io/unizin-core/myla:2022.01.01 vim/2:8.2.2434-3+deb11u1 vim/MAXIMUM https://security-tracker.debian.org/tracker/CVE-2021-3973

According to discussions, because MyLA doesn't need Vim, the best resolution for this vulnerability would be to remove Vim from the MyLA images. This could be accomplished by explicitly removing Vim in the Dockerfile.
@lsloan lsloan added this to To do in MyLA-2022.02.01 via automation Aug 26, 2022
@jonespm
Copy link
Member

jonespm commented Aug 26, 2022

We can just remove vim-tiny from the 2 Dockerfiles to resolve this. This isn't needed and was probably just there to aide in debugging.

@lsloan lsloan self-assigned this Aug 26, 2022
@jonespm jonespm moved this from To do to In progress in MyLA-2022.02.01 Aug 26, 2022
@lsloan
Copy link
Member Author

lsloan commented Aug 29, 2022

Yes, it has been a while since I looked at the Dockerfiles and I had forgotten that we were specifically installing vim. I guess we might have installed it for debugging purposes. I was expecting that it was being installed with the base OS and would need to be removed instead.

@jonespm, thanks for moving this to "in progress" for me. I was just about to do that.

lsloan added a commit to lsloan/myla that referenced this issue Aug 29, 2022
@lsloan
tl-its-umich-edu#1408 - Remove Vim
0cf2e1b 
To address vulnerability CVE-2021-3973, remove Vim, which was probably installed for debugging purposes.
@lsloan lsloan mentioned this issue Aug 29, 2022
Merged
@zqian zqian linked a pull request Aug 30, 2022 that will close this issue
#1408 - Remove Vim #1412
Merged
@lsloan
Copy link
Member Author

lsloan commented Aug 30, 2022

Duelling linked pull requests! 20 paces, at dawn! 😉

lsloan added a commit that referenced this issue Aug 30, 2022
@lsloan
#1408 - Remove Vim (#1412)
bb37896 
As specified in #1408, to address vulnerability CVE-2021-3973, remove Vim, which was probably installed for debugging purposes.
MyLA-2022.02.01 automation moved this from In progress to Review/QA Aug 30, 2022
@zqian zqian moved this from Review/QA to Review/QA - DEV in MyLA-2022.02.01 Aug 30, 2022
@jonespm jonespm mentioned this issue Aug 30, 2022
Closed
2 tasks
@jonespm jonespm moved this from Review/QA - DEV to Done in MyLA-2022.02.01 Sep 6, 2022
@jennlove-um jennlove-um removed this from Done in MyLA-2022.02.01 Sep 20, 2022
@jennlove-um jennlove-um added this to To do in MyLA-2022.01.03 via automation Sep 20, 2022
@pushyamig pushyamig moved this from To do to Done in MyLA-2022.01.03 Sep 20, 2022
jonespm pushed a commit to jonespm/student-dashboard-django that referenced this issue Sep 20, 2022
@lsloan @jonespm
tl-its-umich-edu#1408 - Remove Vim (tl-its-umich-edu#1412)
470506a 
As specified in tl-its-umich-edu#1408, to address vulnerability CVE-2021-3973, remove Vim, which was probably installed for debugging purposes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lsloan lsloan

Labels
⚠️ priority ☠ vulnerability
Projects
No open projects
MyLA-2022.01.03
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#1408 - Remove Vim lsloan/myla
2 participants
@lsloan @jonespm