Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security warning on busybox and ssl_client CVE-2021-42374 & CVE-2021-42375 #213

Closed
applejag opened this issue Nov 12, 2021 · 1 comment
Closed

Security warning on busybox and ssl_client CVE-2021-42374 & CVE-2021-42375 #213

applejag opened this issue Nov 12, 2021 · 1 comment

Comments

@applejag
Copy link

applejag commented Nov 12, 2021
edited
Loading

Hello!

Hope this is the place to report security warnings

Trivy reports security warning about the busybox and ssl_client libraries in the alpine image

Edit: This was found on the alpine:latest tag with repo tags:

  • docker.io/library/alpine:3.14
  • docker.io/library/alpine:latest

and digests:

OS linux and architecture amd64

$ podman pull alpine:latest
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob a0d0a0d46f8b skipped: already exists
Copying config 14119a10ab done
Writing manifest to image destination
Storing signatures
14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab

$ podman save alpine:latest -o alpine-latest.tar
Copying blob e2eb06d8af82 done
Copying config 14119a10ab done
Writing manifest to image destination
Storing signatures

$ trivy image --input alpine-latest.tar
2021-11-12T09:10:51.760+0100	INFO	Detected OS: alpine
2021-11-12T09:10:51.760+0100	INFO	Detecting Alpine vulnerabilities...
2021-11-12T09:10:51.761+0100	INFO	Number of language-specific files: 0

alpine-latest.tar (alpine 3.14.2)
=================================
Total: 4 (UNKNOWN: 4, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox    | CVE-2021-42374   | UNKNOWN  | 1.33.1-r3         | 1.33.1-r4     | -->avd.aquasec.com/nvd/cve-2021-42374 |
+            +------------------+          +                   +---------------+---------------------------------------+
|            | CVE-2021-42375   |          |                   | 1.33.1-r5     | -->avd.aquasec.com/nvd/cve-2021-42375 |
+------------+------------------+          +                   +---------------+---------------------------------------+
| ssl_client | CVE-2021-42374   |          |                   | 1.33.1-r4     | -->avd.aquasec.com/nvd/cve-2021-42374 |
+            +------------------+          +                   +---------------+---------------------------------------+
|            | CVE-2021-42375   |          |                   | 1.33.1-r5     | -->avd.aquasec.com/nvd/cve-2021-42375 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+

Kind regards,
Kalle
@ncopa
Copy link
Contributor

ncopa commented Nov 12, 2021

should be fixed once docker-library/official-images#11289 is merged

@ncopa ncopa closed this as completed Nov 12, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ncopa @applejag