Need updating packages with critical security vulnerabilities in docker Registry #4162
Comments
We can't, no. Not at the moment. The main goal is to make a v3 release so we can deprecate |
|
Are these Go dependencies, or dependencies from the base image? If they're in the base image, then possibly rebuilding the image (and/or updating alpine version) would get rid of those. That said, the registry is a static binary, so not sure if all of those are directly relevant; docker run -it --rm registry:2.8.3 sh -c 'ldd /bin/registry'
/lib/ld-musl-aarch64.so.1: /bin/registry: Not a valid dynamic program |
|
According to Docker Scout there are no critical vulnerabilities found in 2.8.3 There are some high vulnerabilities found in the 
|
|
I think we should consider doing a 2.8.4 patch release though; there's at least 1 fix that is kinda important; also an update to Go and golang.org/x/net that fixes a vulnerability; |
|
I ran the registry container instance with image from registry 2.8.3 and listed all packages within it. Below is the list, which we are getting with the same. # apk list
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
alpine-baselayout-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.14.0-r0 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
busybox-binsh-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r5 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcrypto3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
musl-1.2.4-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.4-r0 x86_64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
scanelf-1.3.7-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
ssl_client-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
zlib-1.2.13-r1 x86_64 {zlib} (Zlib) [installed]
/ #Out of these, our scanner identified Zlib 1.2.13 is having a vulnerability with CVSS score of 9.8. Also, other packages identified with issues: Can team suggest if these are part of container? And when would they be fixed/patched? |
|
Can you please format your message properly? I'm sorry but it's almost unreadable. |
|
Hi @milosgajdos/Team, reformatted my message below - I ran a registry container instance with image from registry 2.8.3. As registry container is alpine based, I used the I ran the As per the output of this command, Now, we use Blackduck scanner to scan the container for vulnerabilities. This scanner has reported following vulnerabilities with their CVE numbers:
As per the above comments, can team suggest if these packages are a part of container? And when would they be fixed/patched? Note: These are reported by Blackduck scanner. I am not aware about the way which |
|
@anurag-deshpande we've just made a new release https://github.com/distribution/distribution/releases/tag/v3.0.0-alpha.1 Find the latest updated image in https://hub.docker.com/r/distribution/distribution/tags |
In latest version of Registry, i.e. 2.8.3, I am observing there are 3 packages with security vulnerabilities. The details are listed below-
OpenSSL 3.1.0 and OpenSSL 3.1.1 packages have highest CVE score of 7.8.
Zlib 1.2.13 has a CVE score of 9.8 which is critical.
busybox 1.36.0 also has a CVE score of 7.8.
As all these scores are on the higher side, an update is required to patch them and prevent security risks.
Can the team provide a timeline when these packages will be updated?
The text was updated successfully, but these errors were encountered: