Resolve common CVEs #506
Comments
You might want to talk to your scanner vendor about false positives here. 😅 (We don't have any macOS or iOS images.) See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves |
|
Thank you. Indeed, many we classify as false positives. I will discuss this with Calico Cloud - Tigera as we leverage their Container Scanning tools. |
|
The Golang Bookworm image is used to build the Velero binary, and paketobuildpacks/run-jammy-tiny:0.2.11 is used as the base image to build the Velero image. So the vulnerabilities are reported for image paketobuildpacks/run-jammy-tiny:0.2.11. I checked the repository's latest version. The vulnerabilities reported binary versions are not bumped. |
|
@Romiko maybe the app could switch to a multi-strage build that copies the built output to a more minimal image |
The golang bookworm base image has some CVEs that may require resolving, I find these CVEs are common occurrence with many core Kubernentes containers such as Velero, External-DNS and Cert-Manager. Is it possible to resolve some of these on the base images in docker io?
CVE ID: GHSA-m425-mq94-257g
Fix Version:
1.56.3
Advisory URL:
GHSA-m425-mq94-257g
Description:
gRPC-Go HTTP/2 Rapid Reset vulnerability
CVE ID: GHSA-qppj-fm5r-hxr3
Fix Version:
1.56.3
Advisory URL:
GHSA-qppj-fm5r-hxr3
Description:
HTTP/2 Stream Cancellation Attack
CVE ID: CVE-2016-20013
Fix Version:
Not Fixed
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2016-20013
Description:
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
CVE ID: CVE-2023-5156
Fix Version:
2.35-0ubuntu3.5
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2023-5156
Description:
A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.
CVE ID: CVE-2015-5237
Fix Version:
Unknown
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
Description:
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
CVE ID: CVE-2015-5237
Fix Version:
Unknown
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
Description:
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
CVE ID: CVE-2022-42800
Fix Version:
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2022-42800
Description:
This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6.1, macOS Big Sur 11.7.1. A user may be able to cause unexpected app termination or arbitrary code execution.
The text was updated successfully, but these errors were encountered: