View Issue Details

IDProjectCategoryView StatusLast Update
0016069CentOS-7glibcpublic2019-05-12 23:28
Reporterkr1warren 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016069: glibc-2.17-260.el7_6.5.x86_64 has 19 critical vuls
DescriptionPer Docker DTR scan of image built using the latest packages from Centos Public repositories. There are 19 Critical vulnerablities identifed with glibc-2.17-260.el7_6.5.x86_64

The previous version glibc-2.17-260.el7_6.4.x86_64 only had 3.

Some very old CVEs are referenced for the 6.5 version

Major and minor vul counts also went up for the 6.5 version
Steps To ReproduceUse a vul scanner of some kind. I used Docker DTR scanner with the latest CVE DB available this morning. Version 733
TagsNo tags attached.
abrt_hash
URL

Activities

kr1warren

kr1warren

2019-05-11 09:45

reporter  

glibc-2.17-260.el7_6.4.x86_64-crits.docx (2,386 bytes)
glibc-2.17-260.el7_6.5.x86_64-crits.docx (4,364 bytes)
20190510-a-raw-list (3,154 bytes)
audit-libs-2.8.4-4.el7.x86_64
basesystem-10.0-7.el7.centos.noarch
bash-4.2.46-31.el7.x86_64
bind-license-9.9.4-73.el7_6.noarch
bzip2-libs-1.0.6-13.el7.x86_64
ca-certificates-2018.2.22-70.0.el7_5.noarch
centos-logos-70.0.6-3.el7.centos.noarch
centos-release-7-6.1810.2.el7.centos.x86_64
chkconfig-1.7.4-1.el7.x86_64
coreutils-8.22-23.el7.x86_64
cpio-2.11-27.el7.x86_64
curl-7.29.0-51.el7.x86_64
cyrus-sasl-lib-2.1.26-23.el7.x86_64
diffutils-3.3-4.el7.x86_64
elfutils-libelf-0.172-2.el7.x86_64
expat-2.1.0-10.el7_3.x86_64
file-libs-5.11-35.el7.x86_64
filesystem-3.2-25.el7.x86_64
findutils-4.5.11-6.el7.x86_64
gawk-4.0.2-4.el7_3.1.x86_64
gdbm-1.10-8.el7.x86_64
glib2-2.56.1-2.el7.x86_64
glibc-2.17-260.el7_6.4.x86_64
glibc-common-2.17-260.el7_6.4.x86_64
gmp-6.0.0-15.el7.x86_64
gnupg2-2.0.22-5.el7_5.x86_64
gpg-pubkey-f4a80eb5-53a7ff4b
gpgme-1.3.2-5.el7.x86_64
grep-2.20-3.el7.x86_64
info-5.1-5.el7.x86_64
keyutils-libs-1.5.8-3.el7.x86_64
krb5-libs-1.15.1-37.el7_6.x86_64
libacl-2.2.51-14.el7.x86_64
libassuan-2.1.0-3.el7.x86_64
libattr-2.4.46-13.el7.x86_64
libblkid-2.23.2-59.el7_6.1.x86_64
libcap-2.22-9.el7.x86_64
libcap-ng-0.7.5-4.el7.x86_64
libcom_err-1.42.9-13.el7.x86_64
libcurl-7.29.0-51.el7.x86_64
libdb-5.3.21-24.el7.x86_64
libdb-utils-5.3.21-24.el7.x86_64
libffi-3.0.13-18.el7.x86_64
libgcc-4.8.5-36.el7_6.2.x86_64
libgcrypt-1.5.3-14.el7.x86_64
libgpg-error-1.12-3.el7.x86_64
libidn-1.28-4.el7.x86_64
libmount-2.23.2-59.el7_6.1.x86_64
libselinux-2.5-14.1.el7.x86_64
libsemanage-2.5-14.el7.x86_64
libsepol-2.5-10.el7.x86_64
libssh2-1.4.3-12.el7_6.2.x86_64
libstdc++-4.8.5-36.el7_6.2.x86_64
libtasn1-4.10-1.el7.x86_64
libuuid-2.23.2-59.el7_6.1.x86_64
libverto-0.2.5-4.el7.x86_64
libxml2-2.9.1-6.el7_2.3.x86_64
lua-5.1.4-15.el7.x86_64
nano-2.3.1-10.el7.x86_64
ncurses-5.9-14.20130511.el7_4.x86_64
ncurses-base-5.9-14.20130511.el7_4.noarch
ncurses-libs-5.9-14.20130511.el7_4.x86_64
nspr-4.19.0-1.el7_5.x86_64
nss-3.36.0-7.1.el7_6.x86_64
nss-pem-1.0.3-5.el7_6.1.x86_64
nss-softokn-3.36.0-5.el7_5.x86_64
nss-softokn-freebl-3.36.0-5.el7_5.x86_64
nss-sysinit-3.36.0-7.1.el7_6.x86_64
nss-tools-3.36.0-7.1.el7_6.x86_64
nss-util-3.36.0-1.1.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openssl-libs-1.0.2k-16.el7_6.1.x86_64
p11-kit-0.23.5-3.el7.x86_64
p11-kit-trust-0.23.5-3.el7.x86_64
pcre-8.32-17.el7.x86_64
pinentry-0.8.1-17.el7.x86_64
popt-1.13-16.el7.x86_64
pth-2.0.7-23.el7.x86_64
pygpgme-0.3-9.el7.x86_64
pyliblzma-0.5.3-11.el7.x86_64
python-2.7.5-77.el7_6.x86_64
python-iniparse-0.4-9.el7.noarch
python-libs-2.7.5-77.el7_6.x86_64
python-pycurl-7.19.0-19.el7.x86_64
python-urlgrabber-3.10-9.el7.noarch
pyxattr-0.5.1-5.el7.x86_64
readline-6.2-10.el7.x86_64
rpm-4.11.3-35.el7.x86_64
rpm-build-libs-4.11.3-35.el7.x86_64
rpm-libs-4.11.3-35.el7.x86_64
rpm-python-4.11.3-35.el7.x86_64
sed-4.2.2-5.el7.x86_64
setup-2.8.71-10.el7.noarch
shadow-utils-4.1.5.1-25.el7_6.1.x86_64
shared-mime-info-1.8-4.el7.x86_64
sqlite-3.7.17-8.el7.x86_64
tzdata-2019a-1.el7.noarch
ustr-1.0.4-16.el7.x86_64
xz-libs-5.2.2-1.el7.x86_64
yum-3.4.3-161.el7.centos.noarch
yum-metadata-parser-1.1.4-10.el7.x86_64
yum-plugin-fastestmirror-1.1.31-50.el7.noarch
zlib-1.2.7-18.el7.x86_64
20190510-a-raw-list (3,154 bytes)
20190510-b-raw-list (3,154 bytes)
audit-libs-2.8.4-4.el7.x86_64
basesystem-10.0-7.el7.centos.noarch
bash-4.2.46-31.el7.x86_64
bind-license-9.9.4-73.el7_6.noarch
bzip2-libs-1.0.6-13.el7.x86_64
ca-certificates-2018.2.22-70.0.el7_5.noarch
centos-logos-70.0.6-3.el7.centos.noarch
centos-release-7-6.1810.2.el7.centos.x86_64
chkconfig-1.7.4-1.el7.x86_64
coreutils-8.22-23.el7.x86_64
cpio-2.11-27.el7.x86_64
curl-7.29.0-51.el7.x86_64
cyrus-sasl-lib-2.1.26-23.el7.x86_64
diffutils-3.3-4.el7.x86_64
elfutils-libelf-0.172-2.el7.x86_64
expat-2.1.0-10.el7_3.x86_64
file-libs-5.11-35.el7.x86_64
filesystem-3.2-25.el7.x86_64
findutils-4.5.11-6.el7.x86_64
gawk-4.0.2-4.el7_3.1.x86_64
gdbm-1.10-8.el7.x86_64
glib2-2.56.1-2.el7.x86_64
glibc-2.17-260.el7_6.5.x86_64
glibc-common-2.17-260.el7_6.5.x86_64
gmp-6.0.0-15.el7.x86_64
gnupg2-2.0.22-5.el7_5.x86_64
gpg-pubkey-f4a80eb5-53a7ff4b
gpgme-1.3.2-5.el7.x86_64
grep-2.20-3.el7.x86_64
info-5.1-5.el7.x86_64
keyutils-libs-1.5.8-3.el7.x86_64
krb5-libs-1.15.1-37.el7_6.x86_64
libacl-2.2.51-14.el7.x86_64
libassuan-2.1.0-3.el7.x86_64
libattr-2.4.46-13.el7.x86_64
libblkid-2.23.2-59.el7_6.1.x86_64
libcap-2.22-9.el7.x86_64
libcap-ng-0.7.5-4.el7.x86_64
libcom_err-1.42.9-13.el7.x86_64
libcurl-7.29.0-51.el7.x86_64
libdb-5.3.21-24.el7.x86_64
libdb-utils-5.3.21-24.el7.x86_64
libffi-3.0.13-18.el7.x86_64
libgcc-4.8.5-36.el7_6.2.x86_64
libgcrypt-1.5.3-14.el7.x86_64
libgpg-error-1.12-3.el7.x86_64
libidn-1.28-4.el7.x86_64
libmount-2.23.2-59.el7_6.1.x86_64
libselinux-2.5-14.1.el7.x86_64
libsemanage-2.5-14.el7.x86_64
libsepol-2.5-10.el7.x86_64
libssh2-1.4.3-12.el7_6.2.x86_64
libstdc++-4.8.5-36.el7_6.2.x86_64
libtasn1-4.10-1.el7.x86_64
libuuid-2.23.2-59.el7_6.1.x86_64
libverto-0.2.5-4.el7.x86_64
libxml2-2.9.1-6.el7_2.3.x86_64
lua-5.1.4-15.el7.x86_64
nano-2.3.1-10.el7.x86_64
ncurses-5.9-14.20130511.el7_4.x86_64
ncurses-base-5.9-14.20130511.el7_4.noarch
ncurses-libs-5.9-14.20130511.el7_4.x86_64
nspr-4.19.0-1.el7_5.x86_64
nss-3.36.0-7.1.el7_6.x86_64
nss-pem-1.0.3-5.el7_6.1.x86_64
nss-softokn-3.36.0-5.el7_5.x86_64
nss-softokn-freebl-3.36.0-5.el7_5.x86_64
nss-sysinit-3.36.0-7.1.el7_6.x86_64
nss-tools-3.36.0-7.1.el7_6.x86_64
nss-util-3.36.0-1.1.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openssl-libs-1.0.2k-16.el7_6.1.x86_64
p11-kit-0.23.5-3.el7.x86_64
p11-kit-trust-0.23.5-3.el7.x86_64
pcre-8.32-17.el7.x86_64
pinentry-0.8.1-17.el7.x86_64
popt-1.13-16.el7.x86_64
pth-2.0.7-23.el7.x86_64
pygpgme-0.3-9.el7.x86_64
pyliblzma-0.5.3-11.el7.x86_64
python-2.7.5-77.el7_6.x86_64
python-iniparse-0.4-9.el7.noarch
python-libs-2.7.5-77.el7_6.x86_64
python-pycurl-7.19.0-19.el7.x86_64
python-urlgrabber-3.10-9.el7.noarch
pyxattr-0.5.1-5.el7.x86_64
readline-6.2-10.el7.x86_64
rpm-4.11.3-35.el7.x86_64
rpm-build-libs-4.11.3-35.el7.x86_64
rpm-libs-4.11.3-35.el7.x86_64
rpm-python-4.11.3-35.el7.x86_64
sed-4.2.2-5.el7.x86_64
setup-2.8.71-10.el7.noarch
shadow-utils-4.1.5.1-25.el7_6.1.x86_64
shared-mime-info-1.8-4.el7.x86_64
sqlite-3.7.17-8.el7.x86_64
tzdata-2019a-1.el7.noarch
ustr-1.0.4-16.el7.x86_64
xz-libs-5.2.2-1.el7.x86_64
yum-3.4.3-161.el7.centos.noarch
yum-metadata-parser-1.1.4-10.el7.x86_64
yum-plugin-fastestmirror-1.1.31-50.el7.noarch
zlib-1.2.7-18.el7.x86_64
20190510-b-raw-list (3,154 bytes)
TrevorH

TrevorH

2019-05-11 14:34

manager   ~0034446

Boy, but your security scanner sucks!

https://access.redhat.com/security/cve/cve-2014-4043 - The Red Hat Security Response Team has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 4 and 5. A future update may address this flaw in Red Hat Enterprise Linux 6 or 7.

https://access.redhat.com/security/cve/cve-2019-9169 - not currently scheduled to be fixed

https://access.redhat.com/security/cve/cve-2013-2207 (seems to be CVE-2016-2856 by a different number) - fixed
Changelog for glibc on el7 says:
* Thu Jul 25 2013 Patsy Franklin <pfrankli@redhat.com> - 2.17-14
- Disable the use of pt_chown(Bugzilla #15755). Distributions can re-enable
  building and using pt_chown with`--enable-pt_chown'. (#984828i, CVE-2013-2207).

https://access.redhat.com/security/cve/cve-2015-0235 - fixed
https://access.redhat.com/security/cve/cve-2014-9402 - fixed
https://access.redhat.com/security/cve/cve-2012-4412 - not affected
https://access.redhat.com/security/cve/cve-2014-9984 - not affected
https://access.redhat.com/security/cve/cve-2015-1472 - fixed
https://access.redhat.com/security/cve/cve-2016-4429 - low severity, will not fix
https://access.redhat.com/security/cve/cve-2017-15670 - fixed
https://access.redhat.com/security/cve/cve-2017-15804 - fixed
https://access.redhat.com/security/cve/cve-2014-4043 - low severity, "fix deferred"
https://access.redhat.com/security/cve/cve-2014-9761 - fixed
https://access.redhat.com/security/cve/cve-2015-8778 - fixed
https://access.redhat.com/security/cve/cve-2015-8779 - fixed
https://access.redhat.com/security/cve/cve-2018-11236 - fixed
https://access.redhat.com/security/cve/cve-2018-6485 - fixed
https://access.redhat.com/security/cve/cve-2019-9169 - not currently scheduled to be fixed
https://access.redhat.com/security/cve/cve-2015-5277 - fixed
https://access.redhat.com/security/cve/cve-2018-1000001 - fixed
https://access.redhat.com/security/cve/cve-2017-1000366 - fixed
kr1warren

kr1warren

2019-05-11 16:24

reporter   ~0034447

I hope that is the case and I will be happy to inform Docker that their scanning engine in their Enterprise product has issues.

But for at least the last month the scanner has been only showing 3 Crits for the previous package of glibc. It added 16 more crits only after glibc-2.17-260.el7_6.5.x86_64 was released to the public repo. I have scanned against two versions of the CVE DB and it showed 19 crits for the 6.5 version.

I do see a difference in how the Docker DTR scanner sees the version of the glibc package.

For the 6.4 version it sees it as: 2.17-260.el7_6.4

For the 6.5 version it sees it as: 2.17

I am assuming the CentOS build team controls the version names. It could be this difference that makes the Docker DTR think it is dealing with a older version of glibc so it lists all of these older vuls.

Any ideas why Docker DTR would be reading just 2.17 for the version of 6.5 package.

Some pictures attached from the DTR GUI

glibc-6.4.png (100,572 bytes)
glibc-6.4.png (100,572 bytes)
glibc-6.5.png (97,556 bytes)
glibc-6.5.png (97,556 bytes)
TrevorH

TrevorH

2019-05-11 16:26

manager   ~0034448

Since I have no idea what this docker scanner is, I would suspect that it's a problem with it not with our glibc. I suggest you ask them to investigate and work out why it's gone wrong.
kr1warren

kr1warren

2019-05-11 16:38

reporter   ~0034449

K. I dont know how the scanner actually does its work. But the only thing that gets updated is the CVE database. Maybe the CVE DB does not know about the glibc 6.5 version yet so it goes blech and reverts to stripped down version to determine the vuls. To err on the cautions side.

But this is just a guess.

Thanks. I will try the scan again in a couple of days with a newer version of their CVE DB with the hope it gets the info on the 6.5 vul version correct.
kr1warren

kr1warren

2019-05-12 23:03

reporter   ~0034451

I updated the CVE DB used by the Docker DTR scanner today and it appears to be using the full version of the glibc now. And it is back to reporting only 3 Crit vuls. Apologies for making some noise when no noise was needed.

glibc-full.png (6,928 bytes)
glibc-full.png (6,928 bytes)

Issue History

Date Modified Username Field Change
2019-05-11 09:45 kr1warren New Issue
2019-05-11 09:45 kr1warren File Added: glibc-2.17-260.el7_6.4.x86_64-crits.docx
2019-05-11 09:45 kr1warren File Added: glibc-2.17-260.el7_6.5.x86_64-crits.docx
2019-05-11 09:45 kr1warren File Added: 20190510-a-raw-list
2019-05-11 09:45 kr1warren File Added: 20190510-b-raw-list
2019-05-11 14:34 TrevorH Note Added: 0034446
2019-05-11 16:24 kr1warren File Added: glibc-6.4.png
2019-05-11 16:24 kr1warren File Added: glibc-6.5.png
2019-05-11 16:24 kr1warren Note Added: 0034447
2019-05-11 16:26 TrevorH Note Added: 0034448
2019-05-11 16:38 kr1warren Note Added: 0034449
2019-05-12 23:03 kr1warren File Added: glibc-full.png
2019-05-12 23:03 kr1warren Note Added: 0034451
2019-05-12 23:28 jrd Status new => closed
2019-05-12 23:28 jrd Resolution open => no change required