Php: Patch avaiable for CVE-2020-12464 in debian releases

Created on 1 Jul 2020 · 2Comments · Source: docker-library/php

Hey guys,

Currently there is a patch available for CVE-2020-12464, which both php buster and stretch docker images and vulnerable to.

Please apply patches to your Debian instances to fix
https://security-tracker.debian.org/tracker/CVE-2020-12464

Thanks.

question

Source

tschirmer

Most helpful comment

Why would a PHP docker image use the USB driver? Also you may want to ping upstream image debian first at https://github.com/debuerreotype/docker-debian-artifacts/issues?q=cve.

phy25 on 1 Jul 2020

👍2

All 2 comments

Why would a PHP docker image use the USB driver? Also you may want to ping upstream image debian first at https://github.com/debuerreotype/docker-debian-artifacts/issues?q=cve.

phy25 on 1 Jul 2020

👍2

Closing since this isn't the proper place for a Debian PSA and as @phy25 pointed out this vulnerability is irrelevant in a Docker container environment

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).