Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2025-27113 #1571

Open
lheazel opened this issue Mar 10, 2025 · 2 comments
Open

CVE-2025-27113 #1571

lheazel opened this issue Mar 10, 2025 · 2 comments

Comments

@lheazel
Copy link

lheazel commented Mar 10, 2025

https://nvd.nist.gov/vuln/detail/CVE-2025-27113

For at least a week, this has been showing up as a vulnerability on scans of my deployments that use the 8.2-apache tag.

Deployments appear to contain libxml2 version 2.9.14, which Gnome's Gitlab repo shows no updates to for the past two years. Is there any plan to update the image to 2.10+.X? Can we expect a solution to this in the near future? And if not, if anyone can point me towards instructions on manually changing the version myself that would be appreciated.
@tianon
Copy link
Member

tianon commented Mar 10, 2025

See https://security-tracker.debian.org/tracker/CVE-2025-27113 -- this isn't fixed in Debian (Bookworm/Stable, anyhow), and the Debian Security Team didn't add any notes, but my best guess is that the likelihood of exploit is really low (and as with any change, the likelihood of breakage from the fix is always non-zero).

@tianon
Copy link
Member

tianon commented Mar 10, 2025

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tianon @lheazel