Current docker images are using a vulnerable glibc library ldd (Debian GLIBC 2.36-9+deb12u3) 2.36 with severe privilege escalation exploits

[vincejv]

Describe the bug

• CVE-2023-6779
• CVE-2023-6780
• CVE-2023-6246

To Reproduce

1. Deploy tubesync docker
2. Check glibc version with ldd --version
3. Shows 'ldd (Debian GLIBC 2.36-9+deb12u3) 2.36'

Expected behavior
Security issue has been fixed on glibc 2.39, but backported to 2.36-9+deb12u4, 2.36-9+deb12u3 remains vulnerable, docker image should use the patched library 2.36-9+deb12u4

Error messages
n/a

Additional context
Flagged as HIGH: https://nvd.nist.gov/vuln/detail/CVE-2023-6246
https://www.kaspersky.com/blog/cve-2023-6246-glibc-vulnerability/50369/
https://thehackernews.com/2024/01/new-glibc-flaw-grants-attackers-root.html
https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/
https://security-tracker.debian.org/tracker/CVE-2023-6246

Proposed fix
Rebuild the images with security updates from debian

[vincejv]

Vulnerable images
sha256:381f526be6e3e64d2c0ab2e0acb008c82777bc5aa0c2ddd88e59c5687d2e5541

[meeb]

Thanks for the issue. This will be automatically fixed in the next release. It's not super critical due to the very limited exposure of this particular issue in the container, but it'll obviously get fixed. Thanks!