-
Notifications
You must be signed in to change notification settings - Fork 499
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2023-25139]tini-static executable seems vulnerable #210
Comments
HarinadhD
changed the title
[CVE-2023-25139]tini-static executable showing as vulnerable
[CVE-2023-25139]tini-static executable seems vulnerable
Mar 7, 2023
It seems likely it’s built with a vulnerable version, but note that Tini
doesn’t actually use that function, let alone in the circumstances
described there.
I’ll try to publish updated binaries, but if you rely on security scanners
and they get triggered by this, I really would encourage you to build Tini
yourself.
In fact, that’s a good security practice: it’s one thing to be worried
about CVEs, but if you’re concerned about security, downloading and running
binaries built by people you don’t now (me in this case) should arguably be
a bigger concern!
…On Tue, 7 Mar 2023 at 13:14, HarinadhD ***@***.***> wrote:
CVE-2023-25139 <https://github.com/advisories/GHSA-2g67-jw5m-244m> is
applicable to glibc version 2.37.
When we scan(using synopsis BDBA tool)for vulnerabilities, tini-static
executable (built with tini release version 0.19.0) shows as vulnerable.
Could someone please confirm what is the glibc version used in tini-static
executable?
—
Reply to this email directly, view it on GitHub
<#210>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANIHVRE2XEDGO2GRWQ6BZDW24RDFANCNFSM6AAAAAAVSMRVCI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-25139 is applicable to glibc version 2.37.
When we scan(using synopsis BDBA tool)for vulnerabilities, tini-static executable (built with tini release version 0.19.0) shows as vulnerable.
Could someone please confirm what is the glibc version used in tini-static executable?
The text was updated successfully, but these errors were encountered: