The versions of Python in the image include a vulnerability (CVE-2020-8492) #138
Comments
|
the building process of this repo's images does not add any Python layer, so these Python versions just exist in the base debian image layers; once official-images use a newer version of debian image, that will fix this issue; (probably already fixed as of now, I haven't checked yet) |
|
I reported the issue to the originating images (buildpack-deps:buster-scm for Python2, and buildpack-deps:buster for Python3). Presumably if they choose to resolve the issue it would then be fixed here as well. docker-library/buildpack-deps#109 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I attempted to bring the Elixir 10.3 image into our internal repo. Our mechanism does a scan for vulnerabilities and my request was rejected because of the version(s) of Python in that image. The CVE that caused the rejection was CVE-2020-8492 with the description:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.. Impacted Image File(s): /usr/lib/python3.7/urllib/request.py
I note the image includes Python 3.7.3 and 2.7.16
The text was updated successfully, but these errors were encountered: