Skip to content

docs: [#431] document backup image CVE analysis and accepted risk#457

Merged
josecelano merged 1 commit intomainfrom
431-backup-cves
Apr 15, 2026
Merged

docs: [#431] document backup image CVE analysis and accepted risk#457
josecelano merged 1 commit intomainfrom
431-backup-cves

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Apr 15, 2026

Summary

Re-scan of torrust/tracker-backup:local as requested in issue #431.

No code change — image rebuilt from scratch with --no-cache to pick up any available
Debian package updates. Vulnerability count unchanged.

Findings (Apr 15, 2026 — Trivy v0.69.3)

Pass HIGH CRITICAL Notes
Apr 8 6 0 Pass 1 baseline
Apr 15 6 0 Rebuilt from scratch, no change

All 6 HIGH are Debian base OS CVEs with no fix available in trixie:

CVE Packages Status Fix in trixie
CVE-2025-69720 libncurses6, libtinfo6, ncurses-base, ncurses-bin affected None (<no-dsa>)
CVE-2026-29111 libsystemd0, libudev1 affected None (<no-dsa>)

Debian Security Tracker Confirmation

Both CVEs are tagged <no-dsa> (minor issue) for trixie — Debian Security Team will not
backport fixes to stable trixie. Fixes exist only in forky/sid (unstable).

Risk Assessment

Neither CVE is reachable in our container's runtime:

  • CVE-2025-69720 (ncurses): affects the infocmp CLI tool only — not the ncurses library.
    The backup container never calls infocmp.
  • CVE-2026-29111 (systemd): affects systemd when running as PID 1 receiving a spurious
    unprivileged IPC call. Our container runs a bash script — systemd is never started.
    libsystemd0/libudev1 are transitive package dependencies only.

Decision

Accepted risk — close #431.

Revisit when Debian trixie backports a fix for ncurses or systemd.

Changes

  • docs/security/docker/scans/torrust-tracker-backup.md — new Remediation Pass 2 entry with full CVE table and Debian tracker status
  • docs/security/docker/scans/README.md — updated backup row (Apr 15, accepted risk)
  • docs/issues/431-backup-cves.md — checked off steps, filled Outcome section
  • project-words.txt — added infocmp, libncurses, libtinfo, libsystemd, libudev, behaviour

Closes #431

@josecelano josecelano mentioned this pull request Apr 15, 2026
Closed
4 tasks
@josecelano josecelano self-assigned this Apr 15, 2026
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Apr 15, 2026

ACK 8411d73

@josecelano josecelano merged commit 6bb23eb into main Apr 15, 2026
29 checks passed
josecelano added a commit that referenced this pull request Apr 15, 2026
@josecelano
chore: remove closed issue documentation files
87c3d29 
Removed 5 closed issue documentation files from docs/issues/:
- #431: backup-cves (PR #457 merged)
- #433: prometheus-cves (PR #454 merged)
- #434: grafana-cves (PR #453 merged)
- #435: mysql-cves (PR #456 merged)
- #444: rand-0.9.2-rustsec (closed)

Remaining open issues: #413, #429, #432, #443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@josecelano josecelano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate unresolved backup image CVEs after remediation pass 1

1 participant

@josecelano