I am using clair to scan my docker images and I see that there are a lot of High priority bugs flagged for my image python:2.7-stretch which is based off Debian:stretch. Now most of these are fixed in a newer version of stretch (called stretch security). But I do not see a corresponding debian:stretch-security version released in dockerhub. Is there a way to fix these bugs or should one wait for debian to fix them in their base images?
Asked
Active
Viewed 110 times
0
-
If Debian stretch itself contains vulnerable packages, why should a Docker image based on that stable release contain different packages? – Nico Haase Jan 21 '19 at 13:55
-
Is there any reason to not use debian:stable? – juanlumn Jan 21 '19 at 14:27
-
@NicoHaase yes thats precisely what I want to know, when does debian come around fixin them. – devops84uk Jan 21 '19 at 15:08
-
@juanlumn: I should have clarified, its actually the official python:stretch image which uses debian:stretch. – devops84uk Jan 21 '19 at 15:08
-
@vin84 well, the point is that the **stable** release is meant to be stable. Exactly no updates, upgrades, fixes are released - that is how Debian works ;) If you want to receive security updates, you should use an image based on these security images – Nico Haase Jan 21 '19 at 15:48
1 Answers
0
The solution is to do an 'apt upgrade' inside the container which will pull in the updated packages and any CVE bugs which have a fix available should get updated. This will then leave my image with only bugs for which no fix has been released.
devops84uk
- 691
- 2
- 6
- 20