Hi,
I’ve been working on a sample project for deploying and running Orthanc in the cloud. As part of the security assessment, I ran Trivy on osimis/orthanc:latest, and unfortunately it comes up with 13 critical CVEs (and around 70 High sev ones) mainly around glibc and python 3.7.
This is currently a blocker for publishing my project.
The image uses the latest available package versions for debian10, however I reckon most of these security issues would be solved with an upgrade to Debian 11.
I could make my own image based on Debian 11, but for the sake of simplicity - and because the osimis/orthanc is a well known/used image within the community - I’d rather not.
Could you please let me know if/when upgrading to Debian 11 is planned for?
Thanks in advance!
Kind Regards,
Tamas
Hi Tamas,
I’d been working on this in August until I realised that I could not use the ODBC plugin with MSSQL because msodbcsql was not available for bullseye and I wanted to keep a single base image.
2 months later, it’s still not there so I think I won’t wait any longer and switch to bullseye for the main image. I’ll still provide buster images on-demand for the very few mssql users.
I’ll probably need a few days to find some time to finalize and release it.
Best regards,
Alain
Hi Alain,
That’s great news, thanks for letting me know! Am I correct to assume that this change would only affect MSSQL and not Postgresql?
Thanks for your work on this, I’ll make sure to share my project here with the community as it’ll be released as an open-source AWS sample, hopefully it’ll be beneficial for many.
Kind Regards,
Tamas Santa
Yes, that’s correct. The postgresql plugin uses a native client which compiles fine in bullseye.
I might chime in a bit on that. In my docker-compose.yml I had image: postgres without specifying a tag, but recently changed it to image: postgres:13 because during a recent build I got a message indicating that there was some DB upgrade required, I think because image: postgres:latest must have recently changed to version 14 from 13 ?
I did not want to have to deal with working through the conflicts or upgrades at the time, and I also set my osimis image for my custom build to: FROM osimis/orthanc:21.10.0
I might want to revist that after reading this thread if you upgraded the osimis image to use bullseye, which I guess is debian 11.1 ? It seemed like it was going to be necessary to upgrade my postgres 13 databases somehow to be compatible with postgres 14 ?
Things are actually working fine after setting those versions, but at some point I’ll probably want to use a more recent osimis image and postgres 14.
Hi Alain,
Is there any news about the new image?
Anything I could do to help?
Kind regards,
Tamas Santa
Hi Tamas,
I think I’m done with the upgrade and I’m almost ready to release.
May I ask you to test your setup with the osimis/orthanc:am-update-debian image and run a security scan on the image ?
If everything is fine, I’ll merge into master and tag it as the next official release.
Best regards,
Alain.
Hi Alain,
thank you for your hard work! I’ll test it as soon as I can and will let you know. It’ll probably happen tomorrow or latest Wednesday though.
Kind Regards,
Tamas
Hi Alain,
I have tested the new image and can confirm that it works with my setup. I ran the security scanning and it returned roughly half as many CVEs than the previous one. Which is good news 
From your perspective there’s nothing you can do about that as the vulnerable packages have the latest versions.
So I think we’re in the best possible situation at the moment!
I’m looking forward to the official release!
Kind regards,
Tamas Santa
Hi Tamas,
Thanks for testing !
I’ve just released version 21.11.0. Release notes are here: https://bitbucket.org/osimis/orthanc-builder/src/master/release-notes-docker-images.txt
Best regards,
Alain
.
Excellent news, thank you!
I’ll update my repository and I’ll shortly make it public afterwards.
I’ll let you know when it’s ready!
Kind regards,
Tamas Santa