Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump root image from debian:buster-slim to debian:bookworm-slim requierd #33

Open
obeyler opened this issue Aug 18, 2021 · 8 comments
Open

bump root image from debian:buster-slim to debian:bookworm-slim requierd #33

obeyler opened this issue Aug 18, 2021 · 8 comments

Comments

@obeyler
Copy link

obeyler commented Aug 18, 2021
edited 

./trivy image -s CRITICAL debian:buster-slim
2021-08-18T11:18:12.970+0200	INFO	Detected OS: debian
2021-08-18T11:18:12.971+0200	INFO	Detecting Debian vulnerabilities...
2021-08-18T11:18:12.978+0200	INFO	Number of language-specific files: 0

debian:buster-slim (debian 10.10)
=================================
Total: 4 (CRITICAL: 4)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libc-bin | CVE-2021-33574   | CRITICAL | 2.28-10           |               | glibc: mq_notify does                 |
|          |                  |          |                   |               | not handle separately                 |
|          |                  |          |                   |               | allocated thread attributes           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+          +------------------+          +                   +---------------+---------------------------------------+
|          | CVE-2021-35942   |          |                   |               | glibc: Arbitrary read in wordexp()    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------+------------------+          +                   +---------------+---------------------------------------+
| libc6    | CVE-2021-33574   |          |                   |               | glibc: mq_notify does                 |
|          |                  |          |                   |               | not handle separately                 |
|          |                  |          |                   |               | allocated thread attributes           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+          +------------------+          +                   +---------------+---------------------------------------+
|          | CVE-2021-35942   |          |                   |               | glibc: Arbitrary read in wordexp()    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
adminomc@hkbdc1svcadm01p:~$ ./trivy image -s CRITICAL debian:bookworm-slim
2021-08-18T11:19:26.064+0200	INFO	Detected OS: debian
2021-08-18T11:19:26.065+0200	INFO	Detecting Debian vulnerabilities...
2021-08-18T11:19:26.065+0200	INFO	Number of language-specific files: 0

debian:bookworm-slim (debian 11.0)
==================================
Total: 0 (CRITICAL: 0)
@isuftin
Copy link

isuftin commented Sep 3, 2021

Isn't Debian 11 codename "Bullseye" ?

@nesc58
Copy link

nesc58 commented Sep 10, 2021

Yes. Debian 11 is Bullseye. I guess "Bookworm" is the codename for Debian 12.

@obeyler
Copy link
Author

obeyler commented Sep 10, 2021
edited 

trivy image -s CRITICAL debian:bullseye-slim
2021-09-10T10:18:31.361+0200	INFO	Detecting Debian vulnerabilities...
2021-09-10T10:18:31.368+0200	INFO	Trivy skips scanning programming language libraries because no supported file was detected

debian:bullseye-slim (debian 11.0)
==================================
Total: 2 (CRITICAL: 2)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libc-bin | CVE-2021-33574   | CRITICAL | 2.31-13           |               | glibc: mq_notify does                 |
|          |                  |          |                   |               | not handle separately                 |
|          |                  |          |                   |               | allocated thread attributes           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+----------+                  +          +                   +---------------+                                       +
| libc6    |                  |          |                   |               |                                       |
|          |                  |          |                   |               |                                       |
|          |                  |          |                   |               |                                       |
|          |                  |          |                   |               |                                       |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

CVE is present on debian 11

@obeyler
Copy link
Author

obeyler commented Sep 10, 2021

@nesc58 exact trivy scan give the bad version for the docker image of debian 12

@nesc58
Copy link

nesc58 commented Sep 10, 2021

Trivy seems to be incorrect. Bookworm is still vulnerable: https://security-tracker.debian.org/tracker/CVE-2021-33574

@koelle25
Copy link

In the current version it clearly states, that Debian Bookworm is not (yet) supported:

❯ trivy image -s CRITICAL debian:bookworm-slim
2022-09-23T09:57:12.785+0200	INFO	Vulnerability scanning is enabled
2022-09-23T09:57:12.785+0200	INFO	Secret scanning is enabled
2022-09-23T09:57:12.785+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-23T09:57:12.785+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-23T09:57:17.187+0200	INFO	Detected OS: debian
2022-09-23T09:57:17.187+0200	WARN	This OS version is not on the EOL list: debian bookworm/sid
2022-09-23T09:57:17.187+0200	INFO	Detecting Debian vulnerabilities...
2022-09-23T09:57:17.187+0200	INFO	Number of language-specific files: 0
2022-09-23T09:57:17.188+0200	WARN	This OS version is no longer supported by the distribution: debian bookworm/sid
2022-09-23T09:57:17.188+0200	WARN	The vulnerability detection may be insufficient because security updates are not provided

debian:bookworm-slim (debian bookworm/sid)

Total: 0 (CRITICAL: 0)

@thomschke
Copy link

Debian Bullseye is now supported:

~ ❯ trivy image debian:bullseye-slim                                                                                                                                                                                      11s
2022-12-28T10:30:41.455+0100	INFO	Vulnerability scanning is enabled
2022-12-28T10:30:41.455+0100	INFO	Secret scanning is enabled
2022-12-28T10:30:41.455+0100	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-28T10:30:41.455+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2022-12-28T10:30:46.808+0100	INFO	Detected OS: debian
2022-12-28T10:30:46.809+0100	INFO	Detecting Debian vulnerabilities...
2022-12-28T10:30:46.821+0100	INFO	Number of language-specific files: 0

debian:bullseye-slim (debian 11.6)

Total: 78 (UNKNOWN: 0, LOW: 61, MEDIUM: 6, HIGH: 10, CRITICAL: 1)

and there OpenLDAP 2.5.13 will be provided.

@thomschke thomschke mentioned this issue Dec 28, 2022
Open
@nesc58
Copy link

nesc58 commented Jun 30, 2023

PR created: #37

@nesc58 nesc58 mentioned this issue Jun 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@koelle25 @isuftin @thomschke @nesc58 @obeyler