Comments (11)
Current build from debian 10. And there are HIGH: 17, CRITICAL: 4 vulnerabilities. Even debian 11 the latest there are 2 critical. Should we continue using debian? Damn, I can't use any image with critical and high vulnerability in my prod env.
from minideb.
Hi @kobemtl,
It is normal that there are vulnerabilities, that's why we keep the containers updated.
from minideb.
Hi, the Debian security team has determined that those issues are minor and won't be issuing updates for buster, so
they will remain as vulnerabilities in buster unless they change their minds.
from minideb.
Thanks for using the Bitnami container images! Bitnami releases a new revision for all the container images periodically, see https://hub.docker.com/r/bitnami/minideb/tags/?page=1&ordering=last_updated. The main reason to follow this approach is to ensure all the bundled system packages are updated to the latest available version.
This method doesn't guarantee there are no vulnerabilities in all of them since there are some packages with known vulnerabilities that are not fixed in the Debian OS. In those cases, we can't do anything apart from wait until a new version patching the issue appears in the system package manager of the distro.
You can find more info about Bitnami processes regarding CVEs and Vulnerability scanners at https://docs.bitnami.com/kubernetes/open-cve-policy/
from minideb.
We are using bitnami/minideb:buster image and we get the following high severity security issues.
CVE-2021-20309 - https://nvd.nist.gov/vuln/detail/CVE-2021-20309
CVE-2021-20312 - https://nvd.nist.gov/vuln/detail/CVE-2021-20312
We have a requirement to eliminate critical and high, security vulnerabilities.
How long would it take to address these security vulnerabilities in bitnami/minideb:buster ?
from minideb.
Hi @avineer,
Did you see my previous comment?
Thanks for using the Bitnami container images! Bitnami releases a new revision for all the container images periodically, see https://hub.docker.com/r/bitnami/minideb/tags/?page=1&ordering=last_updated. The main reason to follow this approach is to ensure all the bundled system packages are updated to the latest available version.
This method doesn't guarantee there are no vulnerabilities in all of them since there are some packages with known vulnerabilities that are not fixed in the Debian OS. In those cases, we can't do anything apart from wait until a new version patching the issue appears in the system package manager of the distro.
You can find more info about Bitnami processes regarding CVEs and Vulnerability scanners at https://docs.bitnami.com/kubernetes/open-cve-policy/
from minideb.
We are using bitnami/minideb:buster image and we get the following high severity security issues (9/1/2021).
https://security-tracker.debian.org/tracker/CVE-2019-25013 https://security-tracker.debian.org/tracker/CVE-2021-33574
We have a requirement to eliminate critical and high, security vulnerabilities. How long would it take to address these security vulnerabilities in bitnami/minideb:buster ?
From the README.md:
(...) In order to keep compatibility with Debian, we will not patch any vulnerabilities in Minideb directly. If Debian does not fix the CVE then it will also remain in Minideb. If you find a vulnerability that is fixed in Debian but not in the latest images of Minideb then please file an issue as that is not intentional. (...)
The CVE you mention is patched for bullseye
1 but not on buster
, maybe consider an ungrade to minideb:bullseye
instead.
Footnotes
from minideb.
@kobemtl minideb is notoriously insecure in my opinion, it's high time to switch to competing images based on ubi8, Alpine, or even ubuntu...
For example even the rather permissive Clair scanner reveals several High vulnerabilities:
Listing most important vulnerabilities in bitnami-minideb:buster-clair-cve-scan-20220529-122109.txt:
Unapproved vulnerabilities:
| �[1;31mUnapproved�[0m | High CVE-2021-33574 | glibc | 2.28-10+deb10u1 | The mq_notify function in the GNU C Library (aka glibc) |
| �[1;31mUnapproved�[0m | High CVE-2019-8457 | db5.3 | 5.3.28+dfsg1-0.5 | SQLite3 from 3.6.0 to and including 3.27.2 is |
| �[1;31mUnapproved�[0m | High CVE-2019-25013 | glibc | 2.28-10+deb10u1 | The iconv feature in the GNU C Library (aka |
| �[1;31mUnapproved�[0m | High CVE-2022-23219 | glibc | 2.28-10+deb10u1 | The deprecated compatibility function clnt_create in |
| �[1;31mUnapproved�[0m | High CVE-2022-23218 | glibc | 2.28-10+deb10u1 | The deprecated compatibility function svcunix_create |
Current build from debian 10. And there are HIGH: 17, CRITICAL: 4 vulnerabilities. Even debian 11 the latest there are 2 critical. Should we continue using debian? Damn, I can't use any image with critical and high vulnerability in my prod env.
from minideb.
The Bitnami Application Catalog (OpenSource) is based on bitnami/minideb
(Debian 10 at this moment although it will be updated to Debian 11 soon).
Apart from that, Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04 & 20.04, or custom golden image) through the VMware Tanzu Application Catalog.
from minideb.
It's not getting any better... high time to follow the open source community and replace Debian with Alpine, distroless, and Ubuntu. We had to switch away from all your containers to the open source ones (despite their other issues that required work) for that very reason... and today this prevented us from considering using bitnami/cassandra:4.0
:
Listing most important vulnerabilities in bitnami-minideb:bullseye-clair-cve-scan-20220719-173817.txt:
Unapproved vulnerabilities:
| �[1;31mUnapproved�[0m | Critical CVE-2022-2068 | openssl | 1.1.1n-0+deb11u2 | In addition to the c_rehash shell command injection |
| �[1;31mUnapproved�[0m | High CVE-2019-8457 | db5.3 | 5.3.28+dfsg1-0.8 | SQLite3 from 3.6.0 to and including
from minideb.
(...)
Unapproved vulnerabilities: | �[1;31mUnapproved�[0m | Critical CVE-2022-2068 | openssl | 1.1.1n-0+deb11u2 | In addition to the c_rehash shell command injection | | �[1;31mUnapproved�[0m | High CVE-2019-8457 | db5.3 | 5.3.28+dfsg1-0.8 | SQLite3 from 3.6.0 to and including
CVE-2022-2068 is already fixed1 on bullseye
, you have to trigger apt-get update && apt-get upgrade
to get the newer 1.1.1n-0+deb11u3
version.
I checked the mail list2 for CVE-2019-8457 and there's no official statement about backporting the fix to bullseye
. The security tacker says that sqlite3
is fixed but db5.3
not because it uses an embedded copy of sqlite3
. Maybe you can uninstall db5.3
using apt-get purge
if is not critical for your use case.
Footnotes
from minideb.
Related Issues (20)
- Why is gcloud installed on the host automatically, and why isn't it documented? HOT 4
- can not run on arm server HOT 5
- Upgrade to Debian 11 HOT 4
- Arm32 or Arm/v7 support HOT 2
- Medium and Low security vulnerabilities HOT 1
- About language HOT 2
- install_package failed *List directory /var/lib/apt/lists/partial is missing* HOT 1
- /minideb:buster build fail on windows docker HOT 3
- Disable quay.io registry HOT 1
- Unable to build Minideb for ARM64 foreign architecture HOT 5
- Updates not published to Docker Hub HOT 1
- ls path returns 'Operation not permitted' HOT 2
- CVE-2021-46848 HOT 1
- build issues HOT 3
- Build Fails with the following error HOT 1
- The default system character encoding of the base image should be UTF-8 HOT 1
- whats the current image minideb size ? HOT 1
- ECR Public tagging HOT 2
- standard_init_linux.go:219 exec user process caused: exec format error HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from minideb.