CVE-2022-27404, CVE-2022-27405, CVE-2022-27406

[sagar18m]

<style> </style>

Resource	Resource Type	Installed Version	Vulnerability Name	Publish Date	NVD CVSS v2 Severity	NVD CVSS v2 Score	NVD CVSS v2 Vectors	Solution
freetype	package	2.11.1-r0	CVE-2022-27404	4/22/2022	high	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P	Upgrade package freetype to version 2022-03-07 or above.
freetype	package	2.11.1-r0	CVE-2022-27405	4/22/2022	medium	5	AV:N/AC:L/Au:N/C:N/I:N/A:P	Upgrade package freetype to version 2022-03-17 or above.
freetype	package	2.11.1-r0	CVE-2022-27406	4/22/2022	medium	5	AV:N/AC:L/Au:N/C:N/I:N/A:P	Upgrade package freetype to version 2022-03-19 or above.

[yosifkit]

As seen on the Debian security tracker pages, the fix is only available in bookworm (currently aka sid or unstable). All other Debian releases do not have the update. And, from the Notes, it looks like the Debian security team has chosen not to fix it for them.

https://security-tracker.debian.org/tracker/CVE-2022-27404 and https://security-tracker.debian.org/tracker/CVE-2022-27405 and https://security-tracker.debian.org/tracker/CVE-2022-27406

[bullseye] - freetype <no-dsa> (Minor issue)
[buster] - freetype <no-dsa> (Minor issue)
[stretch] - freetype <no-dsa> (Minor issue)

[dimanchezzz]

How I can upgrade directly freetype to 2022-03-07?

[thresheek]

hi @dimanchezzz, we'll need to wait until freetype is updated in the Linux distributions nginx images use, namely Alpine 3.15 and Debian 11.

[dimanchezzz]

Thanks, How I can following by updates in the Linux distributions nginx images
or mb i can drop freetype from image ?
I tried it, but not working(
RUN apk del freetype

[thresheek]

The links for tracking CVE fixes in Debian were provided in #657 (comment), and for Alpine you'd have to check https://git.alpinelinux.org/aports/log/main/freetype?h=3.15-stable

You should be able to remove freetype and the image filter module with the following command:
apk del freetype nginx-module-image-filter.

[cameronwaterman]

A fix for 2022-27404 was submitted to the Alpine mainline.

https://gitlab.alpinelinux.org/alpine/aports/-/commit/08c9eeb1e3aee1adc8c3407f29630073aef5c5e3
https://gitlab.alpinelinux.org/alpine/aports/-/commit/a11d8db7bb9baefb69a268bba661728ece1f1caa

[istvandesign]

Hello, when can we expect to have a new nginx image with the fix for 2022-27404? Thanks

[thresheek]

Hi @istvandesign there is no strict date - for Debian it's likely never, and for Alpine-based images, whenever alpine 3.15.5 is released.

[istvandesign]

Hi @istvandesign there is no strict date - for Debian it's likely never, and for Alpine-based images, whenever alpine 3.15.5 is released.

Thanks, the hotfix you mentioned,
RUN apk del freetype nginx-module-image-filter will also work in alpine or only in debian based images ?

[thresheek]

It would be RUN apt remove -y libfreetype6 for Debian

[sahya]

I would like to know how the treatment by official.
When does the alpine image change to use 3.15 in the stable-alpine and 1.20-alpine? Or When would RUN apk del freetype nginx-module-image-filter add officially?

[thresheek]

We plan to have stable tags updated with Alpine 3.15 (or 3.16 if it's out at that time) somewhere in mid-June. No hard ETA though yet.

[thresheek]

CVE-2022-27404 is fixed now in alpine-based images. Other CVEs arent, and all of them are not fixed for Debian-based images.

[asos-bryanharveysmith]

I've taken this update applied it to our application. The scan is all clear now. thank you