Apache 2.4.61 security release

[wmortada]

There have been two recent security releases for Apache:

• Apache 2.4.60 on 1 July 2024
• Apache 2.4.61 on 3 July 2024

However the latest images appear to be running Apache 2.4.59 which is shown as having a critical security vulnerability.

Is it possible to build new images that include the latest version of Apache and patch this security vulnerability?

[leedave]

Also listening in as I use this image a lot and the old Apache release has a critical vulnerability that I'd like to be rid of.

[yosifkit]

The Apache httpd that we use comes from Debian's packages, so they would have to incorporate/backport patches to address these vulnerabilities. As it turns out, there is an update available, so it will get installed next time the image is rebuilt.

• 2.4.61, which fixes CVE-2024-39884: https://security-tracker.debian.org/tracker/CVE-2024-39884, <not-affected> (Vulnerable code not present)
• 2.4.60 (copying the Debian Bookworm fixed versions, but the pages also list the Bullseye versions)
  • https://security-tracker.debian.org/tracker/CVE-2024-36387: fixed in version 2.4.61-1~deb12u1
  • https://security-tracker.debian.org/tracker/CVE-2024-38472: Only affects Apache HTTP Server on Windows
  • https://security-tracker.debian.org/tracker/CVE-2024-38473: fixed in version 2.4.61-1~deb12u1
  • https://security-tracker.debian.org/tracker/CVE-2024-38474: fixed in version 2.4.61-1~deb12u1
  • https://security-tracker.debian.org/tracker/CVE-2024-38475: fixed in version 2.4.61-1~deb12u1
  • https://security-tracker.debian.org/tracker/CVE-2024-38476: fixed in version 2.4.61-1~deb12u1
  • https://security-tracker.debian.org/tracker/CVE-2024-38477: fixed in version 2.4.61-1~deb12u1
  • https://security-tracker.debian.org/tracker/CVE-2024-39573: fixed in version 2.4.61-1~deb12u1

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

So, given that the last Debian rebuild was 2 weeks ago (docker-library/official-images#17091), the next rebuild would likely be next week or the week after at the latest (earlier is more likely). If you need package updates earlier, then temporarily installing them in your own image is the workaround until an updated image is available.

[wmortada]

@yosifkit thanks for explaining the process.

[tianon]

docker-library/official-images#17227 👍

[wmortada]

I can see that new images have just been built however they appear to still include Apache 2.4.59 which has the critical security vulnerability. For example php:8-apache.

[LaurentGoderre]

The latest one is fixed. the link you provided is an outdated one https://hub.docker.com/layers/library/php/8-apache/images/sha256-5d592ca8c06afa668141b40c08e72839d4e85a9b055872fd8331e5a9479199a6?context=explore

[wmortada]

@LaurentGoderre Thanks! That was the latest image when I checked but it looks like a more recent one has been pushed since then.

[leedave]

Thanks for the update, got mine updated :)