multiple critical CVEs in the image

[ismail-bertalfilali]

Hello,

We are trying to use the image grokzen/redis-cluster:7.0.10 but it contains several CVEs any plan to upgrade the packages used ? Thank you

---

Vulnerability	Severity	CVSS3 Score	Package	Current Version	Fixed in Version	Listed In CVE Allowlist
CVE-2022-1664	Critical	9.8	dpkg	1.19.7	1.19.8	No
CVE-2021-33574	Critical	9.8	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2021-35942	Critical	9.1	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2022-23218	Critical	9.8	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2022-23219	Critical	9.8	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2021-3520	Critical	9.8	liblz4-1	1.8.3-1	1.8.3-1+deb10u1	No
CVE-2022-1586	Critical	9.1	libpcre2-8-0	10.32-5	10.32-5+deb10u1	No
CVE-2022-1587	Critical	9.1	libpcre2-8-0	10.32-5	10.32-5+deb10u1	No
CVE-2021-3177	Critical	9.8	libpython2.7-minimal	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2021-46848	Critical	9.1	libtasn1-6	4.13-3	4.13-3+deb10u1	No
CVE-2021-3177	Critical	9.8	python2.7	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2022-37434	Critical	9.8	zlib1g	1:1.2.11.dfsg-1	1:1.2.11.dfsg-1+deb10u2	No
CVE-2022-48565	Critical	9.8	libpython2.7-minimal	2.7.16-2+deb10u1	None	No
CVE-2021-20231	Critical	9.8	libgnutls30	3.6.7-4+deb10u3	3.6.7-4+deb10u7	No
CVE-2021-20232	Critical	9.8	libgnutls30	3.6.7-4+deb10u3	3.6.7-4+deb10u7	No
CVE-2021-3711	Critical	9.8	libssl1.1	1.1.1d-0+deb10u3	1.1.1d-0+deb10u7	Yes
CVE-2022-1292	Critical	9.8	libssl1.1	1.1.1d-0+deb10u3	1.1.1n-0+deb10u2	No
CVE-2022-2068	Critical	9.8	libssl1.1	1.1.1d-0+deb10u3	1.1.1n-0+deb10u3	No
CVE-2023-25775	Critical	9.8	linux-libc-dev	4.19.260-1	4.19.304-1	No
CVE-2022-1271	High	8.8	gzip	1.9-3	1.9-3+deb10u1	No
CVE-2020-1752	High	7.0	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2020-6096	High	8.1	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2021-3326	High	7.5	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2021-3999	High	7.8	libc-bin	2.28-10	2.28-10+deb10u2	No
CVE-2021-43618	High	7.5	libgmp10	2:6.1.2+dfsg-4	2:6.1.2+dfsg-4+deb10u1	No
CVE-2021-20305	High	8.1	libhogweed4	3.4.1-1	3.4.1-1+deb10u1	Yes
CVE-2021-3580	High	7.5	libhogweed4	3.4.1-1	3.4.1-1+deb10u1	No
CVE-2022-1271	High	8.8	liblzma5	5.2.4-1	5.2.4-1+deb10u1	No
CVE-2021-20305	High	8.1	libnettle6	3.4.1-1	3.4.1-1+deb10u1	Yes
CVE-2021-3580	High	7.5	libnettle6	3.4.1-1	3.4.1-1+deb10u1	No
CVE-2019-20454	High	7.5	libpcre2-8-0	10.32-5	10.32-5+deb10u1	No
CVE-2015-20107	High	7.6	libpython2.7-minimal	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2019-20907	High	7.5	libpython2.7-minimal	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2020-26116	High	7.2	libpython2.7-minimal	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2021-3737	High	7.5	libpython2.7-minimal	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2022-0391	High	7.5	libpython2.7-minimal	2.7.16-2+deb10u1	None	No
CVE-2022-45061	High	7.5	libpython2.7-minimal	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2023-24329	High	7.5	libpython2.7-minimal	2.7.16-2+deb10u1	None	No
CVE-2015-20107	High	7.6	libpython2.7-stdlib	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2019-20907	High	7.5	libpython2.7-stdlib	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2020-26116	High	7.2	libpython2.7-stdlib	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2021-3737	High	7.5	libpython2.7-stdlib	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2022-0391	High	7.5	libpython2.7-stdlib	2.7.16-2+deb10u1	None	No
CVE-2022-45061	High	7.5	libpython2.7-stdlib	2.7.16-2+deb10u1	2.7.16-2+deb10u2	No
CVE-2023-24329	High	7.5	libpython2.7-stdlib	2.7.16-2+deb10u1	None	No

[Grokzen]

@ismail-bertalfilali A new baseimage has been used for all images and re-uploaded to docker.hub, could you please recheck the current images against your list and if the CVE list has been resolved, please close this issue

[ismail-bertalfilali]

@Grokzen , thx for you efforts.

No critcal CVEs but there is a lot of High CVEs in this version grokzen/redis-cluster:7.2.5, we are still not allowed to use it by security departement.

Here's the data converted to a markup table format:

Vulnerability	Severity	CVSS3 Score	Package	Current Version	Fixed in Version
CVE-2023-50387	High	7.5	libsystemd0	252.22-1~deb12u1	252.23-1~deb12u1
CVE-2023-50868	High	7.5	libsystemd0	252.22-1~deb12u1	252.23-1~deb12u1
CVE-2023-50387	High	7.5	libudev1	252.22-1~deb12u1	252.23-1~deb12u1
CVE-2023-50868	High	7.5	libudev1	252.22-1~deb12u1	252.23-1~deb12u1
CVE-2023-24329	High	7.5	libpython3.11-minimal	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-41105	High	7.5	libpython3.11-minimal	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-6597	High	7.8	libpython3.11-minimal	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-24329	High	7.5	libpython3.11-stdlib	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-41105	High	7.5	libpython3.11-stdlib	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-6597	High	7.8	libpython3.11-stdlib	3.11.2-6	3.11.2-6+deb12u2
CVE-2024-36883	High	7.0	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2024-36886	High	7.1	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2024-36904	High	7.0	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2024-36960	High	7.1	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2024-36971	High	7.8	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2024-38667	High	7.8	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2024-39277	High	7.8	linux-libc-dev	6.1.90-1	6.1.94-1
CVE-2023-24329	High	7.5	python3.11	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-41105	High	7.5	python3.11	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-6597	High	7.8	python3.11	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-24329	High	7.5	python3.11-minimal	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-41105	High	7.5	python3.11-minimal	3.11.2-6	3.11.2-6+deb12u2
CVE-2023-6597	High	7.8	python3.11-minimal	3.11.2-6	3.11.2-6+deb12u2

[ismail-bertalfilali]

@Grokzen images from redhat registry seems to be more secure rhel9/redis-7. I don't know if it is simple to switch to them ?

[Grokzen]

Yeah i could try that image, also i see that some things really don't need to be in the image, getting python out from it could be an option as well to really push out the last few CVE:s. But i will try the mentioned image @ismail-bertalfilali