Critical CVEs in registry container

[wkbrd]

The latest registry:2 container has critical CVEs.

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown

This was scanned using Grype.

Can these be fixed?

[milosgajdos]

Please use v3 images. v2 is in a state that's not been touched for a long time.

[wkbrd]

The only 3.x version appears to be 3.0.0-alpha.1 per https://hub.docker.com/_/registry/tags.
It also has critical CVEs.

Am I pulling from the correct docker location?

[milosgajdos]

They just merged docker-library/official-images#17151

Not sure how long it takes to build it 🤷‍♂️ In the meantime you can grab the latest release from:

• https://hub.docker.com/r/distribution/distribution/tags (docker pull distribution/distribution:3.0.0-beta.1)
• https://github.com/distribution/distribution/pkgs/container/distribution (docker pull ghcr.io/distribution/distribution:3.0.0-beta.1)

[wkbrd]

I just pulled down distribution/distribution:3.0.0-beta.1 and it still has two fixable Critical CVEs:
libcrypto3 3.3.1-r0 3.3.1-r1 apk CVE-2024-5535 Critical
libssl3 3.3.1-r0 3.3.1-r1 apk CVE-2024-5535 Critical

Can this be fixed in the container image?

[milosgajdos]

Unfortunately, the latest alpine image we build off has those vulns so there is nothing we can do about that until that basee image is fixed. https://hub.docker.com/_/alpine/tags

Grab a binary and build your own is the best I can recommend to you at the moment.

[wkbrd]

Thanks for the quick reply.

Adding this link as a reference: alpinelinux/docker-alpine#405.

Let's leave this ticket open as we wait for the container base image to be patched.