Skip to content

Handle CVE-2024-0553 and CVE-2024-0567 #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 9, 2024
Merged

Handle CVE-2024-0553 and CVE-2024-0567 #35

merged 1 commit into from
Jul 9, 2024

Conversation

supl
Copy link
Contributor

@supl supl commented Jul 3, 2024

Description

This PR upgrades the Debian package libgnutls30 to patch CVE-2024-0553 and CVE-2024-0567.

┌─────────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                          Title                           │
├─────────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2024-0553 │ HIGH     │ fixed  │ 3.7.1-5+deb11u3   │ 3.7.1-5+deb11u5 │ gnutls: incomplete fix for CVE-2023-5981                 │
│             │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-0553                │
│             ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────┤
│             │ CVE-2024-0567 │          │        │                   │                 │ gnutls: rejects certificate chain with distributed trust │
│             │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-0567                │
└─────────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────┘

We got the report from CI at https://github.com/scalar-labs/docker/actions/runs/9769591056/job/26969320568

It also upgrades the PostgreSQL 15 package source since the old one no longer exists.

Related issues and/or PRs

N/A

Changes made

  • revised Dockerfiles

Checklist

  • I have commented my code, particularly in hard-to-understand areas.
  • I have updated the documentation to reflect the changes.
  • Any remaining open issues linked to this PR are documented and up-to-date (Jira, GitHub, etc.).
  • Tests (unit, integration, etc.) have been added for the changes.
  • My changes generate no new warnings.
  • Any dependent changes in other PRs have been merged and published.

@supl supl added the bugfix label Jul 3, 2024
@supl supl requested a review from choplin July 3, 2024 03:36
@supl supl self-assigned this Jul 3, 2024
@supl supl requested a review from feeblefakie July 3, 2024 03:38
choplin
choplin approved these changes Jul 3, 2024
View reviewed changes
Copy link
Contributor

@choplin choplin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

feeblefakie
feeblefakie approved these changes Jul 9, 2024
View reviewed changes
Copy link
Contributor

@feeblefakie feeblefakie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you!

@feeblefakie feeblefakie merged commit e2bc023 into main Jul 9, 2024
1 check passed
@feeblefakie feeblefakie deleted the CVE-2024-0553-CVE-2024-0567 branch July 9, 2024 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@choplin choplin choplin approved these changes

@feeblefakie feeblefakie feeblefakie approved these changes

Assignees

@supl supl

Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@supl @choplin @feeblefakie