Skip to content
This repository has been archived by the owner on Apr 24, 2023. It is now read-only.

Security patching of fluent bit latest docker image #29

Open
remidinishanth-ntnx opened this issue Feb 21, 2020 · 1 comment
Open

Security patching of fluent bit latest docker image #29

remidinishanth-ntnx opened this issue Feb 21, 2020 · 1 comment

Comments

@remidinishanth-ntnx
Copy link

Looks like the latest version of fluent bit also has lot of security Vulnerabilities. Is there any action towards patching these?

fluent/fluent-bit:latest (debian 9.11)
======================================
Total: 30 (UNKNOWN: 0, LOW: 2, MEDIUM: 23, HIGH: 5, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| libc6      | CVE-2018-1000001 | HIGH     | 2.24-11+deb9u4    |               | glibc: realpath() buffer       |
|            |                  |          |                   |               | underflow when getcwd()        |
|            |                  |          |                   |               | returns relative path allows   |
|            |                  |          |                   |               | privilege escalation...        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2018-6485    |          |                   |               | glibc: Integer overflow in     |
|            |                  |          |                   |               | posix_memalign in memalign     |
|            |                  |          |                   |               | functions                      |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2018-6551    |          |                   |               | glibc: integer overflow in     |
|            |                  |          |                   |               | malloc functions               |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010022 |          |                   |               | glibc: stack guard protection  |
|            |                  |          |                   |               | bypass                         |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-9169    |          |                   |               | glibc: regular-expression      |
|            |                  |          |                   |               | match via proceed_next_node    |
|            |                  |          |                   |               | in posix/regexec.c leads to    |
|            |                  |          |                   |               | heap-based buffer over-read... |
+            +------------------+----------+                   +---------------+--------------------------------+
|            | CVE-2009-5155    | MEDIUM   |                   |               | glibc: parse_reg_exp in        |
|            |                  |          |                   |               | posix/regcomp.c misparses      |
|            |                  |          |                   |               | alternatives leading to denial |
|            |                  |          |                   |               | of service or...               |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-4051    |          |                   |               | CVE-2010-4052 glibc:           |
|            |                  |          |                   |               | De-recursivise regular         |
|            |                  |          |                   |               | expression engine              |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-4052    |          |                   |               | CVE-2010-4051 CVE-2010-4052    |
|            |                  |          |                   |               | glibc: De-recursivise regular  |
|            |                  |          |                   |               | expression engine              |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-4756    |          |                   |               | glibc: glob implementation can |
|            |                  |          |                   |               | cause excessive CPU and memory |
|            |                  |          |                   |               | consumption due to...          |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2015-8985    |          |                   |               | glibc: potential denial of     |
|            |                  |          |                   |               | service in pop_fail_stack()    |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2016-10228   |          |                   |               | glibc: iconv program can       |
|            |                  |          |                   |               | hang when invoked with the -c  |
|            |                  |          |                   |               | option                         |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2016-10739   |          |                   |               | glibc: getaddrinfo should      |
|            |                  |          |                   |               | reject IP addresses with       |
|            |                  |          |                   |               | trailing characters            |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2017-12132   |          |                   |               | glibc: Fragmentation attacks   |
|            |                  |          |                   |               | possible when EDNS0 is enabled |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2018-20796   |          |                   |               | glibc: uncontrolled            |
|            |                  |          |                   |               | recursion in function          |
|            |                  |          |                   |               | check_dst_limits_calc_pos_1 in |
|            |                  |          |                   |               | posix/regexec.c                |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010023 |          |                   |               | glibc: running ldd on          |
|            |                  |          |                   |               | malicious ELF leads to code    |
|            |                  |          |                   |               | execution because of...        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using cache |
|            |                  |          |                   |               | of thread stack and heap       |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1010025 |          |                   |               | glibc: information disclosure  |
|            |                  |          |                   |               | of heap addresses of           |
|            |                  |          |                   |               | pthread_created thread         |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-6488    |          |                   |               | glibc: Incorrect attempt to    |
|            |                  |          |                   |               | use a 64-bit register for      |
|            |                  |          |                   |               | size_t in assembly...          |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-9192    |          |                   |               | glibc: uncontrolled            |
|            |                  |          |                   |               | recursion in function          |
|            |                  |          |                   |               | check_dst_limits_calc_pos_1 in |
|            |                  |          |                   |               | posix/regexec.c                |
+            +------------------+----------+                   +---------------+--------------------------------+
|            | CVE-2019-19126   | LOW      |                   |               | glibc:                         |
|            |                  |          |                   |               | LD_PREFER_MAP_32BIT_EXEC not   |
|            |                  |          |                   |               | ignored in setuid binaries     |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-7309    |          |                   |               | glibc: memcmp function         |
|            |                  |          |                   |               | incorrectly returns zero       |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| libgcc1    | CVE-2018-12886   | MEDIUM   | 6.3.0-18+deb9u1   |               | gcc: spilling of stack         |
|            |                  |          |                   |               | protection address in          |
|            |                  |          |                   |               | cfgexpand.c and function.c     |
|            |                  |          |                   |               | leads to...                    |
+------------+                  +          +                   +---------------+                                +
| libgomp1   |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
+------------+------------------+          +-------------------+---------------+--------------------------------+
| libssl1.1  | CVE-2007-6755    |          | 1.1.0l-1~deb9u1   |               | Dual_EC_DRBG: weak pseudo      |
|            |                  |          |                   |               | random number generator        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-0928    |          |                   |               | openssl: RSA authentication    |
|            |                  |          |                   |               | weakness                       |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1551    |          |                   |               | openssl: Integer overflow in   |
|            |                  |          |                   |               | RSAZ modular exponentiation on |
|            |                  |          |                   |               | x86_64                         |
+------------+------------------+          +-------------------+---------------+--------------------------------+
| libstdc++6 | CVE-2018-12886   |          | 6.3.0-18+deb9u1   |               | gcc: spilling of stack         |
|            |                  |          |                   |               | protection address in          |
|            |                  |          |                   |               | cfgexpand.c and function.c     |
|            |                  |          |                   |               | leads to...                    |
+------------+------------------+          +-------------------+---------------+--------------------------------+
| openssl    | CVE-2007-6755    |          | 1.1.0l-1~deb9u1   |               | Dual_EC_DRBG: weak pseudo      |
|            |                  |          |                   |               | random number generator        |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2010-0928    |          |                   |               | openssl: RSA authentication    |
|            |                  |          |                   |               | weakness                       |
+            +------------------+          +                   +---------------+--------------------------------+
|            | CVE-2019-1551    |          |                   |               | openssl: Integer overflow in   |
|            |                  |          |                   |               | RSAZ modular exponentiation on |
|            |                  |          |                   |               | x86_64                         |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
@edsiper
Copy link
Member

edsiper commented Feb 21, 2020

as of v1.4 release next week, we are upgrading to debian buster image.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edsiper @remidinishanth-ntnx