[Bug 2072883] Re: Docker scout reports critical and high vulnerabilities for Ubuntu docker images with installed gosu

Juraj Martinka Tue, 23 Jul 2024 07:05:46 -0700

I tried the same procedure as described in the original report. It seems
that one CVE is fixed but the other two remain:


docker run ubuntu:noble -it /bin/bash

apt update && apt install gosu
gosu --version
1.17 (go1.22.2 on linux/arm64; gc)


docker commit <container_id> ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" 
ubuntu-noble-security
...
## Packages and Vulnerabilities

   1C     1H     0M     0L  stdlib 1.22.2
pkg:golang/stdlib@1.22.2

6: sha256:74098bae0fa49d842f7abd64314d0e24efa515611d738d265566498d9caafd12
/usr/sbin/gosu (evident by)

    ✗ CRITICAL CVE-2024-24790
      https://scout.docker.com/v/CVE-2024-24790
      Affected range : >=1.22.0-0
                     : <1.22.4
      Fixed version  : 1.22.4

    ✗ HIGH CVE-2024-24791
      https://scout.docker.com/v/CVE-2024-24791
      Affected range : >=1.22.0-0
                     : <1.22.5
      Fixed version  : 1.22.5


** Description changed:

  Previously reported here: https://github.com/docker-
  library/cassandra/issues/276#issuecomment-2222627720
  
  Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) 
images from dockerhub and installing gosu via `apt update && apt install gosu`.
  If I create such an image, docker scout reports a few critical and high 
vulnerabilities.
  ----
  
- docker run ubuntu:noble -it /bin/bash
+ docker run -it ubuntu:noble /bin/bash
  
  # inside the container
  apt update && apt install gosu
  gosu --version
  1.17 (go1.21.3 on linux/arm64; gc)
  
  # create a new image with installed gosu
  docker commit <container_id> ubuntu-noble-security
  docker scout cves --locations --only-severity "critical,high" 
ubuntu-noble-security
  ...
-     ✗ Detected 1 vulnerable package with 3 vulnerabilities
+     ✗ Detected 1 vulnerable package with 3 vulnerabilities
  ## Packages and Vulnerabilities
  
-    1C     2H     0M     0L  stdlib 1.21.3
+    1C     2H     0M     0L  stdlib 1.21.3
  pkg:golang/stdlib@1.21.3
  
  6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca
  /usr/sbin/gosu (evident by)
  
-     ✗ CRITICAL CVE-2024-24790
-       https://scout.docker.com/v/CVE-2024-24790
-       Affected range : <1.21.11
-       Fixed version  : 1.21.11
+     ✗ CRITICAL CVE-2024-24790
+       https://scout.docker.com/v/CVE-2024-24790
+       Affected range : <1.21.11
+       Fixed version  : 1.21.11
  
-     ✗ HIGH CVE-2024-24791
-       https://scout.docker.com/v/CVE-2024-24791
-       Affected range : <1.21.12
-       Fixed version  : 1.21.12
+     ✗ HIGH CVE-2024-24791
+       https://scout.docker.com/v/CVE-2024-24791
+       Affected range : <1.21.12
+       Fixed version  : 1.21.12
  
-     ✗ HIGH CVE-2023-45283
-       https://scout.docker.com/v/CVE-2023-45283
-       Affected range : >=1.21.0-0
-                      : <1.21.4
-       Fixed version  : 1.21.4
+     ✗ HIGH CVE-2023-45283
+       https://scout.docker.com/v/CVE-2023-45283
+       Affected range : >=1.21.0-0
+                      : <1.21.4
+       Fixed version  : 1.21.4

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072883

Title:
  Docker scout reports critical and high vulnerabilities for Ubuntu
  docker images with installed gosu

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/2072883/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2072883] Re: Docker scout reports critical and high vulnerabilities for Ubuntu docker images with installed gosu

Reply via email to