New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need updating packages with critical security vulnerabilities in docker Registry #4162
Comments
We can't, no. Not at the moment. The main goal is to make a v3 release so we can deprecate |
Are these Go dependencies, or dependencies from the base image? If they're in the base image, then possibly rebuilding the image (and/or updating alpine version) would get rid of those. That said, the registry is a static binary, so not sure if all of those are directly relevant; docker run -it --rm registry:2.8.3 sh -c 'ldd /bin/registry'
/lib/ld-musl-aarch64.so.1: /bin/registry: Not a valid dynamic program |
According to Docker Scout there are no critical vulnerabilities found in 2.8.3 There are some high vulnerabilities found in the |
I think we should consider doing a 2.8.4 patch release though; there's at least 1 fix that is kinda important; also an update to Go and golang.org/x/net that fixes a vulnerability; |
I ran the registry container instance with image from registry 2.8.3 and listed all packages within it. Below is the list, which we are getting with the same. # apk list
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
alpine-baselayout-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.14.0-r0 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
busybox-binsh-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r5 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcrypto3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
musl-1.2.4-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.4-r0 x86_64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
scanelf-1.3.7-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
ssl_client-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
zlib-1.2.13-r1 x86_64 {zlib} (Zlib) [installed]
/ # Out of these, our scanner identified Zlib 1.2.13 is having a vulnerability with CVSS score of 9.8. Also, other packages identified with issues: Can team suggest if these are part of container? And when would they be fixed/patched? |
Can you please format your message properly? I'm sorry but it's almost unreadable. |
Hi @milosgajdos/Team, reformatted my message below - I ran a registry container instance with image from registry 2.8.3. As registry container is alpine based, I used the I ran the
As per the output of this command, Now, we use Blackduck scanner to scan the container for vulnerabilities. This scanner has reported following vulnerabilities with their CVE numbers:
As per the above comments, can team suggest if these packages are a part of container? And when would they be fixed/patched? Note: These are reported by Blackduck scanner. I am not aware about the way which |
@anurag-deshpande we've just made a new release https://github.com/distribution/distribution/releases/tag/v3.0.0-alpha.1 Find the latest updated image in https://hub.docker.com/r/distribution/distribution/tags |
In latest version of Registry, i.e. 2.8.3, I am observing there are 3 packages with security vulnerabilities. The details are listed below-
OpenSSL 3.1.0 and OpenSSL 3.1.1 packages have highest CVE score of 7.8.
Zlib 1.2.13 has a CVE score of 9.8 which is critical.
busybox 1.36.0 also has a CVE score of 7.8.
As all these scores are on the higher side, an update is required to patch them and prevent security risks.
Can the team provide a timeline when these packages will be updated?
The text was updated successfully, but these errors were encountered: