Addressing 0-day Vulnerability in Base Image Used for Datahub-Actions

Original Slack Thread

Hello everyone. So we have discovered that a <https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/|0-day vulnerability exists >in the base image used to create datahub-actions. Naturally we have taken remediation action on our side but I just wanted to flag this here as a matter of urgency. It looks like it’s at the OS level specifically the libwebp library, (which I believe is transitive). In any case the library needs to be upgraded from 0.6.1-2.1+deb11u1 to 0.6.1-2.1+deb11u2. Now it seems as though.

We had the same issue with the data-ingestion-cron image (seems to be Debian 12) and a simple update did the trick. So maybe actions (Debian 11) could use the same base image if possible?

    repository: acryldata/datahub-ingestion
    tag: "v0.11.0.2"```

Hi there! Thanks for calling this out, libwebp is not utilized by datahub-actions or the ingestion image so this isn’t exploitable from those images and is primarily a problem for personal devices using applications like Chrome and iMessage that will render *.webp images, but we’ll definitely be updating to get away from using a vulnerable image :slightly_smiling_face:

In the future, if you think you have found a security issue with DataHub, exploitable or not, please report them via email to: mailto:security@datahubproject.io|security@datahubproject.io . This gives us time to patch the issue before issuing advisories. Thank you :smile:

Ah great thank you very much <@UV5UEC3LN>, didn’t know where to put this. I do for next time.

No worries! Our documentation on the reporting process should be easier to find so we’ll get on that as well :slightly_smiling_face: