Hi,
https://hub.docker.com/r/library/nginx/tags/1.10.1-alpine/
Are you looking into these ? Is there any plan to fix it ?
openssl 1.0.2h CVE-2016-2177 Critical
openssl:Permissive License CVE-2016-2178 Minor
Thanks
For both of those issues, there is no fix published in Debian yet. The Debian security team does not think it warrants an immediate fix: "
From the RedHat issue: "In summary from one of the upstream developers: This is a LOW issue, and does not justify a release by itself."
There are some others, now. In the latest alpine version (1.11.8), if you expand out the 4th layer in that link, you'll see a long list of vulnerabilities:
libxml2 2.9.4-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4619
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447
pcre 8.38-r1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3217
libxslt 1.1.29-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4609
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1684
freetype 2.6.3-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9747
gdlib 2.2.3-r1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933
perl 5.22.2-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8853
libgcrypt 1.7.0-r1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
There is no way I as a maintainer of nginx image can fix vulnerabilities present in downstream distributions.
I'm sure I'm missing something, and I'd like to understand this. I'm not trying to be a pain or be rude here, but I apologize if this is just a hassle for you.
If the nginx docker image tagged 1.11.8-alpine is listing vulnerabilities, and that image inherits from alpine 3.4, and the alpine-3.4 scan does not list those vulnerabilities... Then aren't those vulnerabilities coming from somewhere in the nginx Dockerfile?
Thanks for your work on this image, and whatever you can do to help me better understand this situation.
That happens because nginx pulls in some dependancies which do not exist in alpine 3.4 image (naturally, those images do not contain all libraries needed to run all software :-) ). Those are still provided by the distribution, so there is no control over them from my side.
Thank you and no worries. Hope this helps.
Most helpful comment
That happens because nginx pulls in some dependancies which do not exist in alpine 3.4 image (naturally, those images do not contain all libraries needed to run all software :-) ). Those are still provided by the distribution, so there is no control over them from my side.
Thank you and no worries. Hope this helps.