mssql-docker icon indicating copy to clipboard operation
mssql-docker copied to clipboard
verified publisher icon microsoft

[Question] security of image layer

Open hsuyuming opened this issue 4 years ago • 1 comments

Hi All:

We are using Xray to scan to the image is secure or not, then find there is a security hole (it shows this is Critical case)on each mssql image's version. (We are using 2019-CU5-ubuntu-18.04, but we also find the issue on latest version). Can you help us update the go version on your image site to fix this issue?

Security:

Summary https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38297 Go before 1.16.9 and 1.17.x before 1.17.2 has a buffer overflow via large arguments in a function invocation from a wasm module, when goarch=wasm goos=js is used.

CVEs CVE-2021-38297 CVSS V2: 7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS V3: 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://groups.google.com/forum/#!forum/golang-announce

https://go-review.googlesource.com/c/go/+/176619

Many Thanks, Abe

hsuyuming avatar Jan 27 '22 00:01 hsuyuming

Hi all: any update about this?

hsuyuming avatar Feb 01 '22 16:02 hsuyuming