Docker-nginx: Docker Hub Showing Vulnerabilities in Images

Created on 1 Aug 2016  路  5Comments  路  Source: nginxinc/docker-nginx

Hi,
https://hub.docker.com/r/library/nginx/tags/1.10.1-alpine/
Are you looking into these ? Is there any plan to fix it ?

openssl 1.0.2h CVE-2016-2177 Critical
openssl:Permissive License CVE-2016-2178 Minor

Thanks

Most helpful comment

That happens because nginx pulls in some dependancies which do not exist in alpine 3.4 image (naturally, those images do not contain all libraries needed to run all software :-) ). Those are still provided by the distribution, so there is no control over them from my side.

Thank you and no worries. Hope this helps.

All 5 comments

For both of those issues, there is no fix published in Debian yet. The Debian security team does not think it warrants an immediate fix: " (Wait until next openssl update round)."

From the RedHat issue: "In summary from one of the upstream developers: This is a LOW issue, and does not justify a release by itself."

There are some others, now. In the latest alpine version (1.11.8), if you expand out the 4th layer in that link, you'll see a long list of vulnerabilities:

libxml2 2.9.4-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4619
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447

pcre 8.38-r1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3217

libxslt 1.1.29-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4609
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1684

freetype 2.6.3-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9747

gdlib 2.2.3-r1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933

perl 5.22.2-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8853

libgcrypt 1.7.0-r1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313

There is no way I as a maintainer of nginx image can fix vulnerabilities present in downstream distributions.

I'm sure I'm missing something, and I'd like to understand this. I'm not trying to be a pain or be rude here, but I apologize if this is just a hassle for you.

If the nginx docker image tagged 1.11.8-alpine is listing vulnerabilities, and that image inherits from alpine 3.4, and the alpine-3.4 scan does not list those vulnerabilities... Then aren't those vulnerabilities coming from somewhere in the nginx Dockerfile?

Thanks for your work on this image, and whatever you can do to help me better understand this situation.

That happens because nginx pulls in some dependancies which do not exist in alpine 3.4 image (naturally, those images do not contain all libraries needed to run all software :-) ). Those are still provided by the distribution, so there is no control over them from my side.

Thank you and no worries. Hope this helps.

Was this page helpful?
0 / 5 - 0 ratings