Python: Vulnerability CVE-2020-1971 found against various alpine versions of python

Created on 15 Dec 2020  路  2Comments  路  Source: docker-library/python

Hi Team,

Vulnerability CVE-2020-1971 (https://nvd.nist.gov/vuln/detail/CVE-2020-1971) found against various alpine versions of python3.7.
I can't find a production image that scans clean nor can I find a way to remediate the vulnerability.

Also, found that there is the below note on the NVD page:
"This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided."

Request to provide some help around the resolution of the same.

Thanks,

Most helpful comment

Alpine has updated their base images in https://github.com/docker-library/official-images/pull/9295 and so all official-images FROM alpine (and specifically affecting 3.11 and 3.12) are in process of being rebuilt and pushed to Docker Hub.

All 2 comments

Looks like Alpine's libssl1.1 was patched a few days ago for this https://git.alpinelinux.org/aports/commit/?id=9e04b0fdd0665f27ea5d557286eda64cc877322f

$ docker run -it --rm python:3.7-alpine ash
/ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
v3.12.2-32-g434125893a [http://dl-cdn.alpinelinux.org/alpine/v3.12/main]
v3.12.2-28-g19bfc5f39e [http://dl-cdn.alpinelinux.org/alpine/v3.12/community]
OK: 12748 distinct packages available
/ # apk upgrade
(1/2) Upgrading libcrypto1.1 (1.1.1g-r0 -> 1.1.1i-r0)
(2/2) Upgrading libssl1.1 (1.1.1g-r0 -> 1.1.1i-r0)
Executing ca-certificates-20191127-r4.trigger
OK: 11 MiB in 35 packages

For the Debian variants Buster and Stretch are still vulnerable

$ docker run -it --rm python:3.7-slim bash
root@ef7241876549:/# apt update
Get:1 http://deb.debian.org/debian buster InRelease [121 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [255 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7856 B]
Fetched 8409 kB in 2s (3487 kB/s)                    
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
root@ef7241876549:/# apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

There'll be a PR sometime later in https://github.com/docker-library/official-images/labels/library%2Fpython to push the commits

Alpine has updated their base images in https://github.com/docker-library/official-images/pull/9295 and so all official-images FROM alpine (and specifically affecting 3.11 and 3.12) are in process of being rebuilt and pushed to Docker Hub.

Was this page helpful?
0 / 5 - 0 ratings