New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Critical and High Severity in alpine image in google/cloud-sdk/492.0.0-alpine #472

Open

nmeena-suki opened this issue Sep 11, 2024 · 3 comments

nmeena-suki commented Sep 11, 2024 •

edited

Loading

The alpine version of this image seems to be vulnerable to GHSA-v23v-6jw2-98fq
You need to update your docker static source version
Image: https://hub.docker.com/layers/google/cloud-sdk/492.0.0-alpine/images/sha256-201db51115dc28aea998b5caf581233733957b289169acd1d54b7102a41d4bab?context=explore

There are also other high vulnerabilites in cryptography package and the fix is available
GHSA-3ww4-gg4f-jr7f
GHSA-6vqw-3v5j-54x4

When can we expect an upgrade

Author

nmeena-suki commented Sep 11, 2024

There are 20 Vul, out of which these are fixable

Screenshot 2024-09-11 at 1 37 00 PM

young-mmfm commented Sep 23, 2024

google/cloud-sdk/493.0.0-alpine also has security issues:

493.0 went back to Alpine 3.19 from Alpine 3.20. Alpine 3.20.3 currently has no known vulnerabilities: https://hub.docker.com/layers/library/alpine/3.20.3/images/sha256-33735bd63cf84d7e388d9f6d297d348c523c044410f553bd878c6d7829612735?context=explore.

Wondering if it's possible to upgrade to Alpine 3.20.3? 🙏 Thank you!

young-mmfm commented Sep 23, 2024

Correction: even when upgrading to Alpine 3.20.3, there seem to be vulnerabilities specifically in py3-openssl and the google cloud CLI:

# for free to join this conversation on GitHub. Already have an account? # to comment