Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
High security findings
See original GitHub issueWe’re using the tiangolo/uvicorn-gunicorn-fastapi:python3.8-slim image and after a image scan we got a report with 2 high findings relating to perl.
`
| featurename | featureversion | vulnerability | namespace | description | link | severity | fixedby |
|---|---|---|---|---|---|---|---|
| perl | 5.28.1-6 | CVE-2020-10878 | debian:10 | Perl before 5.30.3 has an integer overflow related to mishandling of a “PL_regkind[OP(n)] == NOTHING” situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. | https://security-tracker.debian.org/tracker/CVE-2020-10878 | High | |
| perl | 5.28.1-6 | CVE-2020-10543 | debian:10 | Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. | https://security-tracker.debian.org/tracker/CVE-2020-10543 | High |
`
is it possible to upgrade perl to 5.30.3?
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (1 by maintainers)
Top Results From Across the Web
How are security findings risk-ranked?
We evaluate each finding and designate its risk as Critical, High, Medium, or Low based on what it is and how the following...
Read more >Vulnerabilities findings | Security Command Center
Rapid Vulnerability Detection, Security Health Analytics, and Web Security Scanner detectors generate vulnerabilities findings that are available in ...
Read more >Severity Levels for Security Issues - Atlassian
Atlassian security advisories include 4 severity levels -- critical, high, medium and low. Read examples of vulnerabilities that score in each range.
Read more >OWASP Top Ten
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most...
Read more >Vulnerability Severity Levels - Invicti
This is what a report of a High severity vulnerability looks like in Invicti. ... and High Severities), in order to keep your...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@gbvanrenswoude I wasn’t seeing it because I was using the alpine image so thanks for pointing that out apologies about that. Github did add a way for owners to create security policies for situations like this, should they arise. There is zero problem reporting the issue; rather, it’s the manner in which you report it.
Thanks for the help here @NotoriousRebel ! 👏 🙇
The image is based on the official Python image, so it wouldn’t be an issue with this image but with the base official Python image. On the other side, Perl is not used for anything, it’s there just because it’s a common tool to have pre-installed and could be needed while building extensions, etc. But nothing calls or uses it.
Anyway, thanks for reporting back and closing the issue @Arrrunan 👍