Docker: Dockerhub reports 28 vulnerable components

Created on 26 Jan 2019  路  5Comments  路  Source: nextcloud/docker

When logged-in to Dockerhub, when I visit the tags page for Nextcloud, I see a report indicating that all of the current tags have vulnerabilities. I do not see this shown when I am viewing Nextcloud tags as an anonymous user.

image

Digging deeper, Dockerhub indicates "There are 28 vulnerable components":
image

question
Source
picture GuyPaddock

Most helpful comment

This is a community maintained docker image, there is no dedicated security team for this image.
We always do our best to keep all the dependencies up to date. But we have to rely on others to fix security vulnerabilities. For example for CVEs in debian package we rely on the debian security team to fix them.
For nextcloud, php, .. we rely on upstream to fix security vulnerabilities .
You can for example use the debian security-tracker to check if CVEs do really apply or if they are false positives.

picture tilosp on 12 Mar 2019
2

All 5 comments

It would be great to see someone from Nextcloud respond to this, I just saw this and would like to know how you will handle these vulnerabilities.

laurawadden picture laurawadden on 14 Feb 2019

Yes, an explanation would be great!

protree picture protree on 2 Mar 2019

take a look at https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

tilosp picture tilosp on 2 Mar 2019

Right... but what's the official stance on the specific CVEs that have been reported against _this_ image?

GuyPaddock picture GuyPaddock on 5 Mar 2019

This is a community maintained docker image, there is no dedicated security team for this image.
We always do our best to keep all the dependencies up to date. But we have to rely on others to fix security vulnerabilities. For example for CVEs in debian package we rely on the debian security team to fix them.
For nextcloud, php, .. we rely on upstream to fix security vulnerabilities .
You can for example use the debian security-tracker to check if CVEs do really apply or if they are false positives.

tilosp picture tilosp on 12 Mar 2019
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

raimund-schluessler picture raimund-schluessler  路  3Comments
mahnunchik picture mahnunchik  路  3Comments
pierreozoux picture pierreozoux  路  3Comments
tanja84dk picture tanja84dk  路  3Comments
k1ngf15h3r picture k1ngf15h3r  路  3Comments