Image vulnerability in postgres:latest

[bharath3745]

Hi Team,

We are using the latest Postgres image in our environment in both dev and prod environments. We are seeing the following vulnerability popped up in our environment for this image.

summary:
Nick Wellnhofer discovered that the xsltApplyTemplates function in libxslt, an XSLT processing runtime library, is prone to a use-after-free flaw, resulting in a denial of service, or potentially the execution of arbitrary code if a specially crafted file is processed.

Issue:
postgres:latest-CVE-2021-30560
libxslt1.1 has vulnerabilities

Action:
Upgrade libxslt1.1 to >= 1.1.34-4+deb11u1

Request you to kindly update the libxslt to the latest version and push the new image.

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2021-30560

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

The vulnerability isn't relevant to this environment.
See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), #286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, #286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).