Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities to fix #5

Open
AndreaEr opened this issue Nov 11, 2024 · 1 comment
Open

Vulnerabilities to fix #5

AndreaEr opened this issue Nov 11, 2024 · 1 comment

Comments

@AndreaEr
Copy link

Hi gigante, I tried to patch the dockerfile base image of hdgigante/python-opencv:4.10.0-alpine as I found the following vulnerabilities: CVE-2023-42364, CVE-2024-9143 and CVE-2023-42365
However, i realized that i was not able to update the version of the busybox and openssl

  • Upgrade busybox-binsh to 1.36.1-r30
  • Upgrade ssl_client to 1.36.1-r30
  • Upgrade OpenSSL

May I check if you have encountered the same issue to patch or update the version for busybox, ssl_client and OpenSSL
@gigante
Copy link
Owner

gigante commented Nov 15, 2024

Hi @AndreaEr. Thanks for reporting.

I have upgrade base images (here), including alpine image python:3.13-alpine.

But this alpine base image (v3.20) have busybox-binsh and ssl_client with 1.36.1-r29 as latest version.

Running trivy I realize that severity is LOW or MEDIUM (report below).

Can we wait the release of the alpine package (1.36.1-r30 or above)?

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42364 │ MEDIUM   │ fixed  │ 1.36.1-r29        │ 1.36.1-r30    │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                │
├───────────────┼────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-9143  │ LOW      │        │ 3.3.2-r1          │ 3.3.2-r3      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│               │                │          │        │                   │               │ memory access                                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                 │
├───────────────┤                │          │        │                   │               │                                                           │
│ libssl3       │                │          │        │                   │               │                                                           │
│               │                │          │        │                   │               │                                                           │
│               │                │          │        │                   │               │                                                           │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42364 │ MEDIUM   │        │ 1.36.1-r29        │ 1.36.1-r30    │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364                │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365                │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gigante @AndreaEr