Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please update yarn to at least 1.22.0 (CVE-2020-8131) #1237

Closed
sseide opened this issue Apr 1, 2020 · 4 comments
Closed

Please update yarn to at least 1.22.0 (CVE-2020-8131) #1237

sseide opened this issue Apr 1, 2020 · 4 comments
Labels

Comments

@sseide
Copy link

sseide commented Apr 1, 2020

Current version of yarn used on all (?) images has a vulnerablilty which may be exploited depending on how your images are used or what software is installed on top of it.

https://nvd.nist.gov/vuln/detail/CVE-2020-8131 - Rating of 7.5 (HIGH)

Please update all images to the bugfixed version as some automated security scanners start to pick up this vulnerability in docker images (e.g. Anchore).

I have looked if there is a helper script to update all instances easily without missing on but there seems nothing like it. is there another preferred way or search-replace? I can create a PR than.

Thanks

@SimenB
Copy link
Member

SimenB commented Apr 1, 2020

Node 10 is on 1.21.1, 12 is on 1.22.0 and 13 is on 1.22.4. We should probably update 10, then. /cc @nodejs/docker

To update, just run the update.sh script. Since only node 10 is vulnerable, running ./update.sh 10 should be enough

@nschonni
Copy link
Member

nschonni commented Apr 3, 2020

Next release for 10 is anticipated on April 7th nodejs/Release#553 (comment)

@sseide
Copy link
Author

sseide commented Apr 3, 2020

Thanks to all.

@PeterDaveHello
Copy link
Member

#1241 merged! Just wait to be deployed on Docker hub, thanks for the notification, I'll close this issue first, feel free to reopen it if there is still an issue.

Please note that there will be a delay between the PR merging and being built and deployed on Docker Hub, please follow #1241 and its auto PR to the official Docker Hub image repository for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants