Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Updates debian version #449

Closed
arcenik opened this issue Jan 22, 2020 · 2 comments
Closed

Updates debian version #449

arcenik opened this issue Jan 22, 2020 · 2 comments
Labels
Request Request for image modification or feature

Comments

@arcenik
Copy link

arcenik commented Jan 22, 2020

Hi,

The debian based docker images contains a lot of vulnerabilities

https://security-tracker.debian.org/tracker/CVE-2019-9169
https://security-tracker.debian.org/tracker/CVE-2019-18224
https://security-tracker.debian.org/tracker/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2016-2779
...

Including the current stable, buster

https://security-tracker.debian.org/tracker/CVE-2019-16168
https://security-tracker.debian.org/tracker/CVE-2019-19603
https://security-tracker.debian.org/tracker/CVE-2019-20218
...

Could you add the debian-bulleyes and debian-sid and adds debian-stable, debian-testing and debian-unstable tags ?

Best regards.
@wglambert wglambert added the Request Request for image modification or feature label Jan 22, 2020
@wglambert
Copy link

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, #152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

Additionally we're not comfortable supporting an image based on unstable or testing #364

@yosifkit
Copy link
Member

Currently bullseye and testing are equivalent (until bullseye becomes stable later this year). sid and unstable are always equivalent.

Unfortunately CVE's that are deemed minor by the Debian Security Team (https://www.debian.org/security/) and thus not fixed in stable (aka buster and 10) are not reason enough to create images based on testing or unstable since they are not security-supported. See also docker-library/golang#316 (comment).

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Request Request for image modification or feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yosifkit @arcenik @wglambert