Hello everyone. So we have discovered that a <https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/|0-day vulnerability exists >in the base image used to create datahub-actions. Naturally we have taken remediation action on our side but I just wanted to flag this here as a matter of urgency. It looks like it’s at the OS level specifically the libwebp library, (which I believe is transitive). In any case the library needs to be upgraded from 0.6.1-2.1+deb11u1 to 0.6.1-2.1+deb11u2. Now it seems as though.
We had the same issue with the data-ingestion-cron image (seems to be Debian 12) and a simple update did the trick. So maybe actions (Debian 11) could use the same base image if possible?
Hi there! Thanks for calling this out, libwebp is not utilized by datahub-actions or the ingestion image so this isn’t exploitable from those images and is primarily a problem for personal devices using applications like Chrome and iMessage that will render *.webp images, but we’ll definitely be updating to get away from using a vulnerable image
In the future, if you think you have found a security issue with DataHub, exploitable or not, please report them via email to: mailto:security@datahubproject.io|security@datahubproject.io . This gives us time to patch the issue before issuing advisories. Thank you