Redis Found critical CVE's(CVE-2021-46848, CVE-2019-8457) in redis 7.0.4 image

Describe the bug We are using redis:70.4-bullseye image and found vulnerabilities in security scans of redis image.

A short description of the bug.

7.0.4-bullseye: Pulling from library/redis Digest: sha256:091a7b5de688f283b30a4942280b64cf822bbdab0abfb2d2ce6db989f2d3c3f4 Status: Image is up to date for redis:7.0.4-bullseye docker.io/library/redis:7.0.4-bullseye 2022-11-30T06:20:12.917-0500 [34mINFO[0m Detected OS: debian 2022-11-30T06:20:12.917-0500 [34mINFO[0m Detecting Debian vulnerabilities... 2022-11-30T06:20:13.000-0500 [34mINFO[0m Number of PL dependency files: 1 2022-11-30T06:20:13.000-0500 [34mINFO[0m Detecting gobinary vulnerabilities...

redis:7.0.4-bullseye (debian 11.5)

Vulnerabilites found.... +------------------+------------------+----------+-------------------+------------------+-----------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+------------------+----------+-------------------+------------------+-----------------------------------------+ ------------------+------------------+----------+-------------------+------------------+-----------------------------------------+ | libtasn1-6 | CVE-2021-46848 | CRITICAL | 4.16.0-2 | | libtasn1: Out-of-bound | | | | | | | access in ETYPE_OK | | | | | | | -->avd.aquasec.com/nvd/cve-2021-46848 | +------------------+------------------+----------+-------------------+------------------+-----------------------------------------+ | libdb5.3 | CVE-2019-8457 | CRITICAL | 5.3.28+dfsg1-0.8 | | sqlite: heap out-of-bound | | | | | | | read in function rtreenode() | | | | | | | -->avd.aquasec.com/nvd/cve-2019-8457 | +------------------+------------------+----------+-------------------+------------------+-----------------------------------------+

To reproduce

Steps to reproduce the behavior and/or a minimal code sample.

we can use the following link to reproduce the CVE https://trivy.dev/results/?image=redis:7.0.4-bullseye

Expected behavior

A description of what you expected to happen. CVE-2019-8457 is fixed in latest version of the sqlite package. Will it be fixed in future release or any work around?

Additional information

Any additional information that is relevant to the problem.

Comment From: yossigo

@SaiSasankKhajjayam Please open an issue in the docker-library repository, that's the source of Docker Redis images.