[🐛 Bug]:security vulnerabilities on selenium/node-firefox:4.22.0-20240621 image

[e-dsouza]

What happened?

Security vulnerabilities on selenium/node-firefox:4.22.0-20240621 image.
https://ubuntu.com/security/CVE-2024-26924
https://ubuntu.com/security/CVE-2024-26643

The issue with package linux-libc-dev version 5.15.0-112.122. The recommeded fix is to use version 5.15.0-113.123

Command used to start Selenium Grid with Docker (or Kubernetes)

Currenty using OCP container for firefox node with image selenium/node-firefox:4.22.0-20240621

Relevant log output

$ dpkg -s linux-libc-dev

Package: linux-libc-dev
Status: install ok installed
Priority: optional
Section: devel
Installed-Size: 6888
Maintainer: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: same
Source: linux
Version: 5.15.0-107.117
Replaces: linux-kernel-headers
Provides: aufs-dev, linux-kernel-headers
Conflicts: linux-kernel-headers
Description: Linux Kernel Headers for development
This package provides headers from the Linux kernel. These headers are used by the installed headers for GNU glibc and other system libraries. They are NOT meant to be used to build third-party modules for your kernel. Use linux-headers-* packages for that.

Operating System

Ubuntu

Docker Selenium version (image tag)

4.22.0-20240621

Selenium Grid chart version (chart version)

None

[github-actions]

@e-dsouza, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[VietND96]

In the upcoming release, we expect that a huge number of vulnerabilities will be resolved with the new base OS. If possible, can you scan the image tag nightly and see those 2 CVEs are resolved and confirm?

[e-dsouza]

@VietND96 Thank you. No vulnerabilities with the Nightly image. Do we have a date for the upcoming release?

[VietND96]

I think probably in the 3rd week of this month when the new version of browsers and selenium-grid come

[e-dsouza]

@VietND96 the nightly Firefox image had linux-libc-dev version 6.8.0-36.36 (Ubuntu 24.04 LTS). I was notified of a new vulnerability. See details below.

Vulnerability:
The linux-libc-dev package version 6.8.0-36.36 for selenium-node-firefox is missing security updates. It is, therefore, affected by one or more vulnerabilities. For additional informantion refer to: https://ubuntu.com/security/CVE-2024-26925

Recommended Remediation:
Update linux-libc-dev from 6.8.0-36.36 to 6.8.0-38.38. For additional information refer to: https://ubuntu.com/security/CVE- 2024-26925

[VietND96]

Please verify the latest image tag released 4.23.0-20240727

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.