Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an ubuntu-base build #188

Closed
wants to merge 21 commits into from
Closed

Add an ubuntu-base build #188

wants to merge 21 commits into from

Conversation

olegabr
Copy link

@olegabr olegabr commented Jul 1, 2016

Only the last LTS ubuntu release xenial is supported, and only the mysql 5.7 version that xenial natively supports.

@olegabr
Copy link
Author

olegabr commented Jul 1, 2016

build matrix is wrong. will fix that.

@yosifkit
Copy link
Member

yosifkit commented Jul 1, 2016

I think this comment applies here as well.

@ltangvald
Copy link
Collaborator

Also, you're installing the Ubuntu native 5.7 package, rather than the one from repo.mysql.com. While I'm fairly confident about the quality (I'm on the packaging team for the native packages), they will not be in sync with repo.mysql.com version-wise, and may have differences in the default configuration.

@olegabr
Copy link
Author

olegabr commented Jul 4, 2016

@ltangvald I've failed to find the 5.7 version on the repo.mysql.com suited for the ubuntu xenial distro. can you please point me to this?

@ltangvald
Copy link
Collaborator

5.7.12 was not released for Xenial on repo.mysql.com, as Xenial was released after 5.7.12, but 5.7.13 should be available as normal

@olegabr
Copy link
Author

olegabr commented Jul 4, 2016

Found it here: http://repo.mysql.com/apt/ubuntu/pool/mysql-5.7/m/mysql-community/
Thank you for the suggestion!

olegabr and others added 12 commits July 4, 2016 18:07
@olegabr
install from the official mysql repo
e0885ac
@olegabr
trying to exclude instread of include
f84635f
@olegabr
another try
1af419d
@olegabr
revert the config options back to the community server
b02b35c
@olegabr
fixes
8a3e401
@olegabr
add logs the same way as lib
95e521c 
in order to expose it to the host system if you want
permission problems in other case
@olegabr
add logs the same way as lib
0fe3554 
in order to expose it to the host system if you want
permission problems in other case
@olegabr
Merge branch 'master' of github.com:olegabr/mysql
eb75858
@olegabr
Attempt to solve logs dir permissions issue
68a2cd4 
docker-library#146
@olegabr
fix
b72f727 
log-error returns stderr
@olegabr
fix "the data directory has files in it" error
3ffc3d7 
same as here: docker-library#78

```
[ERROR] --initialize specified but the data directory has files in it. Aborting.
```
@olegabr
mysql version up
4549bea
@yosifkit
Copy link
Member

yosifkit commented Sep 9, 2016

I've just commented on docker-library/memcached#9 (comment) with a similar proposal. TLDR: it shouldn't matter what distro the images provide for a service like MySQL.

With https://github.com/mysql/mysql-docker, the MySQL build team is providing Oracle Linux based images, and I had suggested slowly moving the images in this repo to be Oracle Linux only: #168 (comment).

In summary, I am -1 on an Ubuntu based image, but would like to work toward merging docker-library/mysql and mysql/mysql-docker so it is really up to @ltangvald and the mysql community want to support.

@yosifkit
Copy link
Member

Closing based on my last comment, but feel free to comment if you feel this was closed in error.

@yosifkit yosifkit closed this Feb 23, 2017
@eggsbenjamin
Copy link

@yosifkit

TLDR: it shouldn't matter what distro the images provide for a service like MySQL.

It shouldn't but given the number of HIGH and CRITICAL vulnerabilities in the debian base images and the time that it takes the debian security team to patch them then maybe an ubuntu based image may be applicable for users with hard security requirements?

docker.io/library/debian:buster-slim (debian 10.9)
==================================================
Total: 95 (UNKNOWN: 0, LOW: 65, MEDIUM: 8, HIGH: 20, CRITICAL: 2)

+----------------+---------------------+----------+-------------------+---------------+
|    LIBRARY     |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+----------------+---------------------+----------+-------------------+---------------+
| apt            | CVE-2011-3374       | LOW      | 1.8.2.2           |               |
+----------------+---------------------+          +-------------------+---------------+
| bash           | CVE-2019-18276      |          | 5.0-4             |               |
+                +---------------------+          +                   +---------------+
|                | TEMP-0841856-B18BAF |          |                   |               |
+----------------+---------------------+          +-------------------+---------------+
| coreutils      | CVE-2016-2781       |          | 8.30-3            |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2017-18018      |          |                   |               |
+----------------+---------------------+----------+-------------------+---------------+
| gcc-8-base     | CVE-2018-12886      | HIGH     | 8.3.0-6           |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-15847      |          |                   |               |
+----------------+---------------------+----------+-------------------+---------------+
| gpgv           | CVE-2019-14855      | LOW      | 2.2.12-1+deb10u1  |               |
+----------------+---------------------+          +-------------------+---------------+
| libapt-pkg5.0  | CVE-2011-3374       |          | 1.8.2.2           |               |
+----------------+---------------------+----------+-------------------+---------------+
| libc-bin       | CVE-2020-1751       | HIGH     | 2.28-10           |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-1752       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2021-3326       |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2019-25013      | MEDIUM   |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-10029      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-27618      |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2010-4051       | LOW      |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2010-4052       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2010-4756       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2016-10228      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2018-20796      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010022    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010023    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010024    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010025    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-19126      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-9192       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-6096       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2021-27645      |          |                   |               |
+----------------+---------------------+----------+                   +---------------+
| libc6          | CVE-2020-1751       | HIGH     |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-1752       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2021-3326       |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2019-25013      | MEDIUM   |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-10029      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-27618      |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2010-4051       | LOW      |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2010-4052       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2010-4756       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2016-10228      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2018-20796      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010022    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010023    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010024    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-1010025    |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-19126      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-9192       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-6096       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2021-27645      |          |                   |               |
+----------------+---------------------+----------+-------------------+---------------+
| libgcc1        | CVE-2018-12886      | HIGH     | 8.3.0-6           |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-15847      |          |                   |               |
+----------------+---------------------+----------+-------------------+---------------+
| libgcrypt20    | CVE-2019-13627      | MEDIUM   | 1.8.4-5           |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2018-6829       | LOW      |                   |               |
+----------------+---------------------+----------+-------------------+---------------+
| libgnutls30    | CVE-2021-20231      | CRITICAL | 3.6.7-4+deb10u6   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2021-20232      |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2020-24659      | HIGH     |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2011-3389       | LOW      |                   |               |
+----------------+---------------------+----------+-------------------+---------------+
| libhogweed4    | CVE-2021-20305      | HIGH     | 3.4.1-1           |               |
+----------------+---------------------+          +-------------------+---------------+
| libidn2-0      | CVE-2019-12290      |          | 2.0.5-1+deb10u1   |               |
+----------------+---------------------+----------+-------------------+---------------+
| liblz4-1       | CVE-2019-17543      | LOW      | 1.8.3-1           |               |
+----------------+---------------------+----------+-------------------+---------------+
| libnettle6     | CVE-2021-20305      | HIGH     | 3.4.1-1           |               |
+----------------+---------------------+----------+-------------------+---------------+
| libpcre3       | CVE-2020-14155      | MEDIUM   | 2:8.39-12         |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2017-11164      | LOW      |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2017-16231      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2017-7245       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2017-7246       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-20838      |          |                   |               |
+----------------+---------------------+          +-------------------+---------------+
| libseccomp2    | CVE-2019-9893       |          | 2.3.3-4           |               |
+----------------+---------------------+----------+-------------------+---------------+
| libstdc++6     | CVE-2018-12886      | HIGH     | 8.3.0-6           |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-15847      |          |                   |               |
+----------------+---------------------+          +-------------------+---------------+
| libsystemd0    | CVE-2019-3843       |          | 241-7~deb10u7     |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-3844       |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2013-4392       | LOW      |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-20386      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-13776      |          |                   |               |
+----------------+---------------------+          +-------------------+---------------+
| libtasn1-6     | CVE-2018-1000654    |          | 4.13-3            |               |
+----------------+---------------------+----------+-------------------+---------------+
| libudev1       | CVE-2019-3843       | HIGH     | 241-7~deb10u7     |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-3844       |          |                   |               |
+                +---------------------+----------+                   +---------------+
|                | CVE-2013-4392       | LOW      |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-20386      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2020-13776      |          |                   |               |
+----------------+---------------------+          +-------------------+---------------+
| login          | CVE-2007-5686       |          | 1:4.5-1.1         |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2013-4235       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2018-7169       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-19882      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | TEMP-0628843-DBAD28 |          |                   |               |
+----------------+---------------------+          +                   +---------------+
| passwd         | CVE-2007-5686       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2013-4235       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2018-7169       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-19882      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | TEMP-0628843-DBAD28 |          |                   |               |
+----------------+---------------------+          +-------------------+---------------+
| perl-base      | CVE-2011-4116       |          | 5.28.1-6+deb10u1  |               |
+----------------+---------------------+          +-------------------+---------------+
| sysvinit-utils | TEMP-0517018-A83CE6 |          | 2.93-8            |               |
+----------------+---------------------+          +-------------------+---------------+
| tar            | CVE-2005-2541       |          | 1.30+dfsg-6       |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2019-9923       |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | CVE-2021-20193      |          |                   |               |
+                +---------------------+          +                   +---------------+
|                | TEMP-0290435-0B57B5 |          |                   |               |
+----------------+---------------------+----------+-------------------+---------------+

docker.io/library/ubuntu:20.04 (ubuntu 20.04)
=============================================
Total: 26 (UNKNOWN: 0, LOW: 22, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+-------------+------------------+----------+------------------------+------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY |   INSTALLED VERSION    |        FIXED VERSION         |
+-------------+------------------+----------+------------------------+------------------------------+
| bash        | CVE-2019-18276   | LOW      | 5.0-6ubuntu1.1         |                              |
+-------------+------------------+          +------------------------+------------------------------+
| coreutils   | CVE-2016-2781    |          | 8.30-3ubuntu2          |                              |
+-------------+------------------+          +------------------------+------------------------------+
| gpgv        | CVE-2019-13050   |          | 2.2.19-3ubuntu2.1      |                              |
+-------------+------------------+          +------------------------+------------------------------+
| libc-bin    | CVE-2016-10228   |          | 2.31-0ubuntu9.2        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2019-25013   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-27618   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-29562   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-6096    |          |                        |                              |
+-------------+------------------+          +                        +------------------------------+
| libc6       | CVE-2016-10228   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2019-25013   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-27618   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-29562   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-6096    |          |                        |                              |
+-------------+------------------+          +------------------------+------------------------------+
| libgcrypt20 | CVE-2019-12904   |          | 1.8.5-5ubuntu1         |                              |
+-------------+------------------+          +------------------------+------------------------------+
| libgnutls30 | CVE-2021-20231   |          | 3.6.13-2ubuntu1.3      |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2021-20232   |          |                        |                              |
+-------------+------------------+----------+------------------------+------------------------------+
| libhogweed5 | CVE-2021-20305   | MEDIUM   | 3.5.1+really3.5.1-2    | 3.5.1+really3.5.1-2ubuntu0.1 |
+-------------+                  +          +                        +                              +
| libnettle7  |                  |          |                        |                              |
+-------------+------------------+----------+------------------------+------------------------------+
| libpcre3    | CVE-2017-11164   | LOW      | 2:8.39-12build1        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2019-20838   |          |                        |                              |
+             +------------------+          +                        +------------------------------+
|             | CVE-2020-14155   |          |                        |                              |
+-------------+------------------+----------+------------------------+------------------------------+
| libsystemd0 | CVE-2018-20839   | MEDIUM   | 245.4-4ubuntu3.5       |                              |
+-------------+------------------+----------+------------------------+------------------------------+
| libtasn1-6  | CVE-2018-1000654 | LOW      | 4.16.0-2               |                              |
+-------------+------------------+----------+------------------------+------------------------------+
| libudev1    | CVE-2018-20839   | MEDIUM   | 245.4-4ubuntu3.5       |                              |
+-------------+------------------+----------+------------------------+------------------------------+
| login       | CVE-2013-4235    | LOW      | 1:4.8.1-1ubuntu5.20.04 |                              |
+-------------+                  +          +                        +------------------------------+
| passwd      |                  |          |                        |                              |
+-------------+------------------+----------+------------------------+------------------------------+

@tianon
Copy link
Member

tianon commented Apr 16, 2021

As you can see from the Debian Security Team's notes below, the majority of these are either minor issues, not security issues, or do not apply, so the reason the list is so long is exactly because the Debian Security Team is so diligent, coupled with the security scanning tools not parsing the (admittedly somewhat free-form) metadata appropriately to tag these properly in the same way that RedHat would mark them "WONTFIX", for example.

It is definitely untrue to imply that the Debian Security Team is any less aggressive or proactive than that of Ubuntu (in fact, there's even overlap on the teams, given Ubuntu is based on Debian, so it's in their best interest to make sure the problems are resolved in Debian as well).

This is intended behaviour, after all tar is an archiving tool and you
need to give -p as a command line flag

See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so
unknown usernames are not recorded on login failures

Deficiency in the regexp engine of glibc, while there implementations which
process such expressions more efficiently, imposing a limit lies within
the application accepting it from user input

Deficiency in the regexp engine of glibc, while there implementations which
process such expressions more efficiently, imposing a limit lies within
the application accepting it from user input

That's standard POSIX behaviour implemented by (e)glibc. Applications using
glob need to impose limits for themselves

Not exploitable in Debian, since no keyring URI is defined

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

https://bugs.debian.org/776268
Perl-Toolchain-Gang/File-Temp#14

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Urgency: unimportant

https://bugs.debian.org/778950

[wheezy] - systemd <not-affected> (/etc/tmpfiles.d not supported in Wheezy)
https://bugzilla.redhat.com/show_bug.cgi?id=859060
only relevant to systems running systemd along with selinux

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
[wheezy] - eglibc <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=19519
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=91927b7c76437db860cd86a7714476b56bb39d07

[bullseye] - coreutils <ignored> (Minor issue)
[buster] - coreutils <ignored> (Minor issue)
[stretch] - coreutils <ignored> (Minor issue)
[jessie] - coreutils <ignored> (Minor issue)
[wheezy] - coreutils <ignored> (Minor issue)
Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream
Fixing this issue via setsid() would introduce regressions:
https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes

http://openwall.com/lists/oss-security/2017/07/11/3

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Urgency: unimportant

** DISPUTED ** ...

http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
https://www.openwall.com/lists/oss-security/2018/01/04/3
Documentation patches proposed:
https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html
https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html
Neutralised by kernel hardening

[jessie] - pcre3 <no-dsa> (Minor issue; 32bit character support not enabled)
[wheezy] - pcre3 <not-affected> (Vulnerable code not present)
https://bugs.exim.org/show_bug.cgi?id=2055
https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
pcre32 support enabled only in pcre3/1:8.35-4
Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1691 (8.41)

[jessie] - pcre3 <no-dsa> (Minor issue; 32bit character support not enabled)
[wheezy] - pcre3 <not-affected> (Vulnerable code not present)
https://bugs.exim.org/show_bug.cgi?id=2057
https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
pcre32 support enabled only in pcre3/1:8.35-4
Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1691 (8.41)

https://gitlab.com/gnutls/libtasn1/issues/4
No security impact, does not affect libtasn, but only the asn1Parser from
libtasn1-bin

[bullseye] - gcc-8 <ignored> (Too intrusive to backport)
[buster] - gcc-8 <ignored> (Too intrusive to backport)
[buster] - gcc-7 <ignored> (Too intrusive to backport)
[stretch] - gcc-6 <ignored> (Too intrusive to backport)
[jessie] - gcc-4.9 <ignored> (Too intrusive to backport)
[jessie] - gcc-4.8 <ignored> (Too intrusive to backport)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434
https://gcc.gnu.org/git/?p=gcc.git&a=commit;h=89d7557202d25a393666ac4c0f7dbdab31e452a2

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions

https://github.com/weikengchen/attack-on-libgcrypt-elgamal
https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
GnuPG uses ElGamal in hybrid mode only.
This is not a vulnerability in libgcrypt, but in an application using
it in an insecure manner, see also
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

[buster] - shadow <no-dsa> (Minor issue)
[stretch] - shadow <no-dsa> (Minor issue)
[jessie] - shadow <no-dsa> (Minor issue)
[wheezy] - shadow <no-dsa> (Minor issue)
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
https://github.com/shadow-maint/shadow/pull/97

Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22850

Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22851

Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22852

Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22853

[buster] - libidn2 <no-dsa> (Minor issue; intrusive to backport)
https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5 (2.2.0)
https://gitlab.com/libidn/libidn2/merge_requests/71

[buster] - libgcrypt20 <no-dsa> (Minor issue)
[stretch] - libgcrypt20 <no-dsa> (Minor issue)
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master)
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master)
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 (1.8.5)
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60 (1.8.5)

[buster] - gnupg2 <ignored> (Minor issue)
[stretch] - gnupg2 <no-dsa> (Minor issue)
[jessie] - gnupg2 <ignored> (No backport to version << 2.2.x, low impact, danger of breaking things)
[bullseye] - gnupg1 <ignored> (Minor issue)
[buster] - gnupg1 <ignored> (Minor issue)
[stretch] - gnupg1 <no-dsa> (Minor issue)
[jessie] - gnupg <ignored> (No backport to version << 2.2.x, low impact, danger of breaking things)
https://dev.gnupg.org/T4755
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=7d9aad63c4f1aefe97da61baf5acd96c12c0278e
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=dd18be979e138dd3712315ee390463e8ee1fe8c1
https://eprint.iacr.org/2020/014.pdf

[buster] - gcc-7 <ignored> (minor issue, affects only POWER9 binaries)
[buster] - gcc-8 <ignored> (minor issue, affects only POWER9 binaries)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481

[buster] - lz4 <ignored> (Minor issue)
[stretch] - lz4 <ignored> (Minor issue)
[jessie] - lz4 <no-dsa> (Very hard to exploit, low risk)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
https://github.com/lz4/lz4/pull/756
https://github.com/lz4/lz4/pull/760

https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff
https://savannah.gnu.org/patch/?9822
https://bugzilla.suse.com/show_bug.cgi?id=1158028
Negligible security impact

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <not-affected> (Vulnerable code introduced in 2.23)
https://sourceware.org/bugzilla/show_bug.cgi?id=25204
Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=object;h=b9eb92ab05204df772eb4929eccd018637c9f3e9
Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e

https://github.com/shadow-maint/shadow/pull/199
https://bugs.archlinux.org/task/64836
https://bugs.gentoo.org/702252
Debian builds are compiled using -with-libpam and explicitly passing
--disable-account-tools-setuid.

https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad
Negligible security impact, requires root or physical access to plug in a device,
at which point you can just as well DoS the computer with a hammer instead

Fixed by: https://vcs.pcre.org/pcre?view=revision&revision=1740 (8.43)
Only an issue when UTF support disabled

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <postponed> (Minor issue; can be fixed in next update)
https://sourceware.org/bugzilla/show_bug.cgi?id=24973
Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b

[buster] - systemd <ignored> (Minor issue; exploit vector needs control both of the service and a helper outside)
[stretch] - systemd <ignored> (Minor issue; exploit vector needs control both of the service and a helper outside)
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c
https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b
https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
https://github.com/systemd/systemd-stable/pull/54 (backport for v241-stable)

[buster] - systemd <ignored> (Minor issue; exploit vector needs control both of the service and a helper outside)
[stretch] - systemd <ignored> (Minor issue; exploit vector needs control both of the service and a helper outside)
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
https://bugzilla.redhat.com/show_bug.cgi?id=1684610
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596

** DISPUTED ** ...

https://github.com/seccomp/libseccomp/issues/139
No security issue by itself

http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
http://savannah.gnu.org/bugs/?55369 (private)
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241
Crash in CLI tool, no security impact

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=25487
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9333498794cde1d5cca518badf79533a24114b6f
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c10acd40262486dac597001aecc20ad9d3bd0e4a

systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended.

[buster] - pcre3 <no-dsa> (Minor issue)
[stretch] - pcre3 <no-dsa> (Minor issue)
[jessie] - pcre3 <no-dsa> (Minor issue)
https://bugs.exim.org/show_bug.cgi?id=2463
Fixed by: https://vcs.pcre.org/pcre?view=revision&revision=1761 (8.44)

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=25423
Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
Introduced in: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f2962a71959fd254a7a223437ca4b63b9e81130c (2.14)
Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c

[buster] - gnutls28 <no-dsa> (Minor issue)
[stretch] - gnutls28 <not-affected> (Vulnerable code introduced later)
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
https://gitlab.com/gnutls/gnutls/-/issues/1071
https://gitlab.com/gnutls/gnutls/-/commit/29ee67c205855e848a0a26e6d0e4f65b6b943e0a

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=26224
https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <not-affected> (Vulnerable code not present)
https://sourceware.org/bugzilla/show_bug.cgi?id=25620
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=beea361050728138b82c57dda0c4810402d342b9
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=79a4fa341b8a89cb03f84564fd72abaa1a2db394

https://savannah.gnu.org/bugs/?59897
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
Memory leak in CLI tool, no security impact

[buster] - gnutls28 <no-dsa> (Minor issue)
[stretch] - gnutls28 <not-affected> (Vulnerable code introduced later)
https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
https://gitlab.com/gnutls/gnutls/-/issues/1151

[buster] - gnutls28 <no-dsa> (Minor issue)
[stretch] - gnutls28 <not-affected> (Vulnerable code introduced later)
https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
https://gitlab.com/gnutls/gnutls/-/issues/1151

[buster] - nettle <no-dsa> (Minor issue)
[stretch] - nettle <postponed> (Minor issue; can be fixed in next update)
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009457.html
New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical:
https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe
Use ecc_mod_mul_canonical for point comparison:
https://git.lysator.liu.se/nettle/nettle/-/commit/971bed6ab4b27014eb23085e8176917e1a096fd5
Fix bug in ecc_ecdsa_verify:
https://git.lysator.liu.se/nettle/nettle/-/commit/74ee0e82b6891e090f20723750faeb19064e31b2
Ensure ecdsa_sign output is canonically reduced:
https://git.lysator.liu.se/nettle/nettle/-/commit/51f643eee00e2caa65c8a2f5857f49acdf3ef1ce
Analogous fix to ecc_gostdsa_verify:
https://git.lysator.liu.se/nettle/nettle/-/commit/401c8d53d8a8cf1e79980e62bda3f946f8e07c14
Similar fix for eddsa:
https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b
Fix canonical reduction in gostdsa_vko:
https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29)
Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673
Introducing commit present in Debian since 2.28-1 with addition of
https://salsa.debian.org/glibc-team/glibc/-/commit/aea56157b456d4d9bef337d0149e952a41a7d919

[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
https://bugs.chromium.org/p/project-zero/issues/detail?id=2146
https://sourceware.org/bugzilla/show_bug.cgi?id=27256
https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html
Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=7d88c6142c6efc160c0ee5e4f85cde382c072888

[sarge] - tar <no-dsa> (Hardly exploitable)

sysvinit: no-root option in expert installer exposes locally exploitable security flaw

https://bugs.debian.org/628843

(not fixed upstream, AFAICT)

https://bugs.debian.org/841856

(also not fixed upstream, AFAICT)

@eggsbenjamin
Copy link

@tianon I appreciate the thorough response.

It is definitely untrue to imply that the Debian Security Team is any less aggressive or proactive than that of Ubuntu

This is down to a lack of insight on my behalf. I've been tasked with securing a load of images by ensuring that no HIGH or CRITICAL CVEs are deployed onto them. The information which you've provided is very useful, I'll see if there's a way in which we can create some exceptions for non-applicable CVEs as you point out.

@tianon
Copy link
Member

tianon commented Apr 16, 2021

https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves is probably also useful

@tianon tianon mentioned this pull request Oct 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@olegabr @yosifkit @ltangvald @eggsbenjamin @tianon @AyushyaChitransh