Security issue in Clair v2.0.9
13 views
Skip to first unread message
Brent Borovan
Oct 18, 2019, 2:10:24 PM10/18/19
to CoreOS Dev
Hello,
I recently installed the latest version of Clair (v2.0.9) as a new Docker image and ran a Clair scan on this image using klar with a "High" threshold. Klar return an outstanding security issue which ironically is not patched.
Here is the reported issue:
Analysing 9 layers
Got results from Clair API v1
Found 1 vulnerabilities
High: 1
CVE-2019-14697: [High]
Found in: musl [1.1.20-r3]
Fixed By: 1.1.20-r5
Are there plans to patch this soon and if not does anyone know the recommended way to resolve this?
Thanks in advance,
Brent
Rob Szumski
Oct 21, 2019, 1:43:21 PM10/21/19
to coreo...@googlegroups.com
Hi there,
This is a CVE for musl, which is the libc used in Alpine Linux. The image Red Hat officially supports for Clair is based on RHEL, so it does not have this issue.
This dependency will be bumped with the next release of Clair.
- Rob
--
You received this message because you are subscribed to the Google Groups "CoreOS Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/47a4938b-b30e-4af0-b643-3d80083dbce7%40googlegroups.com.
Brent Borovan
Oct 21, 2019, 2:31:45 PM10/21/19
to CoreOS Dev
Hi Rob,
Thanks for the info and is appreciated.
Thanks for the info and is appreciated.
I am using the image quay.io/coreos/clair:v2.0.9 which I assumed is the official images, but perhaps not?
Will await the newest image in any case.
Regards and thanks again,
Regards and thanks again,
Brent
Rob Szumski
Oct 21, 2019, 2:56:50 PM10/21/19
to coreo...@googlegroups.com
I believe that is the community image. It should be updated soon.
The product images should come from registry.redhat.io.
--
You received this message because you are subscribed to the Google Groups "CoreOS Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/7f085602-47e6-487f-93f9-8e13cefaf8d5%40googlegroups.com.
Brent Borovan
Oct 21, 2019, 3:07:15 PM10/21/19
to CoreOS Dev
Ok thanks for the info!
Brent
To unsubscribe from this group and stop receiving emails from it, send an email to coreo...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages