0

The latest tagged (amd64-1.4.4) hyperledger fabric-peer and hyperledger fabric-tools hosted on hub.docker.com have linux security vulnerabilities.

    {
      "CVE": "CVE-2019-18224",
      "Package": "libidn2",
      "Version": "2.0.5-1",
      "Severity": "high",
      "Status": "fixed in 2.0.5-1+deb10u1",
      "CVSS": 7.5,
      "GracePeriod": ""
    },   
{
      "CVE": "CVE-2019-0155",
      "Package": "linux",
      "Version": "4.15.0-66.75",
      "Severity": "high",
      "Status": "fixed in 4.15.0-70.79",
      "CVSS": 7.2,
      "GracePeriod": ""
    },
    {
      "CVE": "NODE-SECURITY-1184",
      "Package": "https-proxy-agent",
      "Version": "2.2.2",
      "Severity": "high",
      "Status": "fixed in >=2.2.3",
      "CVSS": 7,
      "GracePeriod": ""
    },
    {
      "CVE": "CVE-2019-11135",
      "Package": "linux",
      "Version": "4.15.0-66.75",
      "Severity": "high",
      "Status": "fixed in 4.15.0-69.78",
      "CVSS": 2.1,
      "GracePeriod": ""
    },
    {
      "CVE": "CVE-2018-12207",
      "Package": "linux",
      "Version": "4.15.0-66.75",
      "Severity": "high",
      "Status": "fixed in 4.15.0-69.78",
      "CVSS": 4.9,
      "GracePeriod": ""
    }

How do you request a new build of the images?

Carrie
  • 1
  • 1
    You may want to try posting on ServerFault instead – Oxymoron Feb 05 '20 at 19:00
  • Have you tried following the instructions here https://github.com/hyperledger/fabric/blob/master/SECURITY.md ? – david_k Feb 05 '20 at 21:52
  • @david_k No, I had not because I assumed it was for Security issues with Fabric -- I will do that now. – Carrie Feb 06 '20 at 20:16
  • I'm assuming that would be the first place to try as hyperledger fabric build those images. If not they will hopefully suggest what to do. – david_k Feb 07 '20 at 08:52
  • We are aware of these CVE's and do our best to patch them with each release, most of these currently do not have an upstream fix. Of note is the docker images we provide are as-is, with no warranty or support to give people a place to get started, they are not intended for production use cases. You can build the fabric binaries and create images yourself using hardened baseimages like alpine or redhat-ubi. – lindluni Mar 03 '20 at 06:46

0 Answers0