修复Azure ACR的漏洞

Question

有人可以建议如何修复我的Azure ACR图像使用克莱尔扫描仪Klar发现的漏洞。我对容器的工作还很陌生。

以下是来自Klar的结果示例

Found in: apparmor [2.10.95-0ubuntu2.11]
Fixed By: 
In all versions of AppArmor mount rules are accidentally widened when compiled.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585
-----------------------------------------
CVE-2020-3810: [Medium] 
Found in: apt [1.2.32]
Fixed By: 1.2.32ubuntu0.1
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-3810
-----------------------------------------
CVE-2018-11237: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237
-----------------------------------------
CVE-2018-6485: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485
-----------------------------------------
CVE-2017-18269: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-18269
-----------------------------------------
CVE-2020-1751: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
-----------------------------------------```

Answer 1

要修复容器镜像中的漏洞错误，通常只需通过使用正在使用的基础镜像的更新版本更新FROM语句来重新编译镜像。

例如https://hub.docker.com/_/ubuntu?tab=tags

如你所见，这张图片经常更新。

如果您正在使用特定的标记(或最新的)，则可能需要从本地构建计算机(例如docker rmi )中删除映像，以强制docker守护进程在下一次执行docker build命令时重新拉取映像