On Sep 28, 2022 at 4:49:29 PM, "Bower, Jesse (LNG-HBE)" <
jesse.bo...@lexisnexis.com> wrote:
> Package: git-lfs
>
> Version: 2.13.2-1+b5
>
> After I install git-lfs the docker image is seen as having the following
> cve’s:
>
> CVE-2022-23806
> CVE-2021-38297
> CVE-2022-27664
> CVE-2022-30631
> CVE-2022-32189
> CVE-2022-30632
> CVE-2022-30635
> CVE-2022-28131
> CVE-2022-30630
> CVE-2022-30633
> CVE-2022-23773
> CVE-2022-24921
> CVE-2022-24675
> CVE-2022-28327
> CVE-2022-30580
> CVE-2021-41772
> CVE-2021-41771
> CVE-2021-44716
> CVE-2021-39293
> CVE-2022-23772
> CVE-2021-33194
> CVE-2021-33195
> CVE-2021-33196
> CVE-2021-33198
> CVE-2021-29923
>
> Seen from the version of go used to build git-lfs,
>
> "name": "go",
> "version": "1.15.9",
> "path": "/usr/bin/git-lfs",
> "layerTime": 0,
> "knownVulnerabilities": 72
>
> Example Dockerfile used for testing
>
> FROM debian:stable-slim
>
> RUN apt-get update && apt-get upgrade -y && apt-get install -y git-lfs
>
>
>
> I suggest that the version of go used to build git-lfs is updated to a
> current version.
>
>
>
> Thank you,
>
> Jesse Bower
>
Jesse,
The way that go packages are built in Debian is that they are required to
use the version of the go compiler in the current release. Therefore, any
CVEs that are patched there are also patched in this version of git-lfs. If
there are unpatched vulnerabilities with the debian go compiler, you will
instead need to file a bug against the golang-go package.
Stephen