🎄 Happy Holidays! 🥳
Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.
Happy Holidays!
Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.
Security Scan against solace/solace-pubsub-standard:latest (2 months ago) shows 6 HIGH prio vulnerab
Hello,
Security Scan against solace/solace-pubsub-standard:latest (ec1886a90f54 2 months ago) shows 6 HIGH prio vulnerabilities
is there anybody who knows when solace will fix it and also in enterprise versions ?
Any hint / script fix this fast from community ?
output generated with docker-desktop and extension trivy
Regards, Matthias
Answers
-
Try:
solace-pubsub-standard $ vi Dockerfile
FROM solace/solace-pubsub-standard
USER root
RUN microdnf update -y
solace-pubsub-standard $ docker build -t solace-pubsub-standard:20220531 .
output is:
Transaction Summary:
Installing: 5 packages
Reinstalling: 0 packages
Upgrading: 116 packages
Obsoleting: 0 packages
Removing: 0 packages
Downgrading: 0 packages
0 -
Hi Matthias,
Thanks for your interest in our product. There are a few aspects to your question, and I'll try to answer them all here.
In addition to the :latest tag, we also publish an :edge tag. A few of the vulnerabilities you mentioned have already been fixed in our :edge release.
Our container is based on the Red Hat Universal Basic Image(UBI), we rely on vulnerability fixes within the UBI, and some of these vulnerabilities do not have available fixes. Sometimes Red Hat chooses not to release a fix at all (the CVE-2018 vulnerabilities are examples of this).
The remainder of the vulnerabilities you mentioned will be resolved in an upcoming release.
Finally, I'd like to strongly caution you against updating our docker container yourself. There is a chance that problems will be introduced with updated libraries, and Solace has not certified our broker with these versions of libraries.
Judd
2 -
Hello Judd,
Thanks for your answer.
Conclusion for me:
If i use community edition without support i'll will be up to date (solves critical vuln. = 208 - 188 = 30 vuln. solved incl. all crit) with my mention "docker build -t solace-pubsub-standard:20220531 ." without guaranty according functionality and without support.
Regards,
Matthias
0