CVEs in official docker image apache/kvrocks:2.14.0

[Tennyleaz]

In a recent Trivy scan, it reported several CVEs in the official docker image apache/kvrocks:2.14.0.

• CVE-2025-6020 in libpam.
• CVE-2023-45853 in zlib1g.

Is there recommended fix?
Thanks.

[PragmaTwice]

CVE-2023-45853: firstly, we do NOT use zlib (we use zlib-ng instead). secondly, minizip is NOT a part of zlib.
CVE-2025-6020: this is a database program and I don't think we use anything about linux pam. correct me if i'm wrong.

I don't think we need any fix. Please be careful about false positives in your scanner.

[Tennyleaz]

They are in the base image debian:bookworm-slim
Could it be updated to debian 13?

[PragmaTwice]

2.14.0 has been already released and we should not change a released image.

For releasing a patch version like 2.14.1, I don't think we have enough reason. We will not release a new version just due to a random scanner saying that there's some CVEs (that actually have no security impact.)

If you do care about the scanner result (e.g. due to your company policy), I suggest you create a docker image by yourself with the new base image. (We will not release new images just to conform a company policy.)

We can update the base image in 2.15.0. Release proposal is here: #3363. But I don't think debian 13 is a good choice. We can just use the latest bookworm (which is a LTS version).