Hi
We are using jammy-2023.10.0 docker image for one of our application. When we perform security scan on jammy-2023.10.0 image it reposts curl and libcurl vulnerability.
curl and libcurl has 7.81.0 version and it need to be upgraded to 8.4.0 version. Can someone please help how can we overcome this vulnerability.
Regards,
Pruthvi.
Hello Pruthvi,
can you please be more specific as to which vulnerabilities are flagged ?
Assuming you are referring to the posit connect image, I can see that we have curl version 7.81.0-1ubuntu1.14 in the container which according to the changelog already provides fixes for CVE-2023-38545 and CVE-2023-38546. These fixes are not implemented by upgrading to 8.4.0 but instead the needed patches are being backported to curl 7.81.0 to keep the API/ABI consistent.
curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium
* SECURITY UPDATE: SOCKS5 heap buffer overflow
- debian/patches/CVE-2023-38545.patch: return error if hostname too
long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
tests/data/test728.
- CVE-2023-38545
* SECURITY UPDATE: cookie injection with none file
- debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
in lib/cookie.c, lib/cookie.h, lib/easy.c.
- CVE-2023-38546
You can check the curl changelog yourself by running
docker run -ti rstudio/rstudio-connect:jammy-2023.10.0 bash -c "apt-get update && apt-get changelog curl"
Please let me know if this addresses your concern.
In case there is additional CVE's in curl beyond the ones mentioned, the version of curl we use in the container at the moment is the latest available in Ubuntu 22.04 LTS (Jammy). As such, we (Posit) only will be able to apply another update to curl once it is available for Ubuntu Jammy.
PS: Also please note that our containers (cf. Docker) of the most recent connect version are regularly rebuilt and the tag jammy-2023.10.0 corresponds to different images with different OS package versions. If you are after full reproducibility, always choose the tags with the long name including the hex digits at the end - only those are fully reproducible from a git pull perspective.
Hi Michael,
Thank you for response. Yes, I understand that ubuntu jammy provides 7.81.0-1ubuntu1.14 as latest package available for curl. Right now we are trying to build our own rstudio image with ubuntu noble as base image and below Is the error message I get when I try to build image.
In this case you would need to make sure that the curl package is installed in the first place (apt install -y curl) .
In addition to that I would like to point out that Ubuntu Noble (24.04 LTS) is only slated to be released on April 25th, 2024. As a consequence we only support up to and including Ubuntu Jammy (22.04 LTS)
Hi Michael, could you please provide flavors of linux supported by posit and their latest versions for connect.
Hi Michael, Just wanted to follow up on the request "can you please provide flavors of linux supported by posit and their latest versions for rstudio-connect".
Sorry for the delay here. My bad. Please note that for all requests around commercial products you always can raise a support request at Posit Professional Product Support. This will give you more timely responses governed by our SLA.
For a list of supported platforms, please take a look at Platform Support - Posit
The list of supported versions of our products including Posit Connect can be found at Posit Professional Product Support
This topic was automatically closed 42 days after the last reply. New replies are no longer allowed.
If you have a query related to it or one of the replies, start a new topic and refer back with a link.
