Debian security vulnerabilities

[Kala09]

Hi,

Is there any chance of upgrading the debian package from 11 to 12? Currently we noticed multiple security vulnerabilities in debian 11 package and the image is blocking within our organisation.

[jjethwa]

Hi @Kala09

Thanks for creating the issue. I have some preliminary work done on updating the image here: https://github.com/jjethwa/icinga2/tree/bookworm

There does seem to be a problem with Icinga Director on the latest PHP version though, it throws a few warnings upon starting and then will throw the similar warnings in the Icinga Web 2 UI upon loading one of the Director pages the first time. Functionality seems to be unaffected once the PHP resources are compiled though. It looks like the Director team already know this and are working up update the code so it's compatible. To prevent users from having issues, I won't update the image to Debian Bookworm until Director is fully compatible.

If you don't need Director at this time, you can clone and build off the bookworm branch mentioned above. I'll keep this issue open until we can finally release it to the master branch.

[jjethwa]

Hi @Kala09

Updated the Director references and it looks like we are good to go! I'll submit a PR and push a build to latest. Let me know if you have any issues.

[Kala09]

Thank you for the prompt response, most of the critical vulnerabilities are fixed. But unfortunately still it is blocking with few critical and high vulnerabilities as listed below.

[jjethwa]

Hi @Kala09

Thanks for the added information. The build does an update to pull the latest package versions, so it looks like we need to wait for the upstream project updates to make it to the Debian repo. Let's leave this issue open for now and check back next week

[Kala09]

Sure @jjethwa , thank you

[Kala09]

Hi @jjethwa , can you please let me know if there is any possibility to cleared the above critical vulnerabilities?

Looks like new debian bookworm version is released on jan11, 2025. Can you please have a look if this release could fix the vulnerability's?

[jjethwa]

Hi @Kala09

I just kicked off a new build. It successfully ran and pushed to latest. Can you run your security tool against it? By the way, what tool is it? I might be able to automate it into the build process.

[Kala09]

Hi @jjethwa - there is no luck with this, still the vulnerability's count is same. We are using jfrog xray scan to get the vulnerability's report.

Also, do we have any plan to update the new icinga image 2.14.4 release?

[jjethwa]

Hi @Kala09

Thanks for the update. Can you run the scanner against the debian:bookworm image? It should list the same vulnerabilities, but I want to check. I don't have jfrog xray setup, but I'll look into it when I get time. I just pushed jordan/icinga2:2.14.4

[Kala09]

Sure, will have a look and update. Thanks for quick response.

[Kala09]

Hi @jjethwa ,

Debian bookworm image shows only one critical and high vulnerabilities.

[jjethwa]

Thanks for checking, @Kala09 The other CVEs are from the prerequisite packages installed starting at

icinga2/Dockerfile

Line 20 in 74f4dc1

RUN export DEBIAN_FRONTEND=noninteractive \

[Kala09]

Thanks for confirming, is there any way to get rid of them ?

[jjethwa]

Hi @Kala09

Unfortunately, the only way is for the fixes to be pushed by the package maintainers upstream, the Dockerfile code just grabs the latest versions