[scl.org] Queries regarding nodejs 12 image
Petr Kubat
pkubat at redhat.com
Thu Mar 19 08:07:11 UTC 2020
Hi Abhinay,
On 3/19/20 8:28 AM, Abhinay Purty wrote:
> Hello Team,
>
> IHAC with a few queries.
>
> 1. Does the following images contain the security fixes that is
> mentioned in
> 'https://nodejs.org/en/blog/vulnerability/february-2020-security-releases'
> (CVE-2019-15604, CVE-2019-15605, CVE-2019-15606)? [*]
> https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/nodejs-12
> [*]
> https://access.redhat.com/containers/#/registry.access.redhat.com/rhel8/nodejs-12
> If I understand correctly, the latest version of those images are
> built before security fixes CVE-2019-15604[1], CVE-2019-15605[2],
> CVE-2019-15606[3] were released. [1]
> https://access.redhat.com/security/cve/CVE-2019-15604 [2]
> https://access.redhat.com/security/cve/CVE-2019-15605 [3]
> https://access.redhat.com/security/cve/CVE-2019-15606
The released images seem to be affected by the CVEs mentioned, but do
not show up as such in the catalog. This is a problem and I have opened
up a ticket against container grading to check what went wrong:
https://projects.engineering.redhat.com/projects/GRADING/issues/GRADING-125
The CVEs will soon be fixed (I have checked fixed builds are present)
once the following advisory gets pushed:
https://errata.devel.redhat.com/advisory/52592
> 2. Is there any plans to release ubi8/nodejs-12 and rhel8/nodejs-12
> s2i builder images that would include current LTS version of nodejs
> (12.16.1)? 3. Does the ubi8/nodejs-12 and rhel8/nodejs-12 have vanilla
> installation of the nodejs runtime? Or is the nodejs runtime in those
> images Red Hat's own implementation of the nodejs runtime ?
I will leave these two to be answered by nodejs maintainers (added to CC).
Petr
>
>
> --
> Regards,
>
> Abhinay Purty
>
> Associate Technical Support Engineer
>
> Red Hat India Pvt. Ltd. <https://www.redhat.com>
>
> <https://red.ht/sig>
>
> _______________________________________________
> SCLorg mailing list
> SCLorg at redhat.com
> https://www.redhat.com/mailman/listinfo/sclorg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20200319/ad434cbb/attachment.htm>
More information about the SCLorg
mailing list