CVE-2019-5482 and CVE-2019-18224

[adriangonz]

There are a couple of vulnerabilities present on the seldonio/engine:0.5.2-SNAPSHOT image.

• CVE-2019-18224: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18224
• CVE-2019-5482: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5482

After looking into both, they both seem to affect packages which are installed through Debian (seldonio/engine is build from openjdk, which is based on Debian Buster). Therefore, we need for them to first update these dependencies upstream. After that's done, we should be able to just re-build the image and install the latest versions.

CVE-2019-5482

Reported as http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5482.

Affects cURL, from 7.19.4 to 7.65.3.
This issue has already been raised in Debian's bugtracking system.
The fixed version is already in the "testing" channel.
https://security-tracker.debian.org/tracker/CVE-2019-5482

CVE-2019-18224

Reported as http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18224.

Affects libidn2 up to 2.1.1.
This issue has already been raised in Debian's bugtracking system.
The fixed version is already in the "testing" channel.
https://security-tracker.debian.org/tracker/CVE-2019-18224

[adriangonz]

libidn2 seems to be a dependency of libc6, which is a dependency of a few basic packages which we can't remove. Therefore, we can only wait until they move the fix to the stable channel of Debian.

On the other hand, curl doesn't seem to be needed on the seldonio/engine image, so we should be able to remove it.

[adriangonz]

CVE-2019-5482 should be fixed by #1264 and CVE-2019-18224 is now tracked in #1286