libgnutls30=3.6.7-4+deb10u6 has high severity vulnerability.

[whitewolf92]

Hi,

I have a container scanner that is flagging libgnutls30 as having a security vulnerability. I tried upgrading it but I still stuck with version libgnutls30=3.6.7-4+deb10u6. Is there a way to upgrade to 3.6.7-4+deb10u7?

+-------------+------------------+----------+-------------------+-----------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+-----------------+--------------------------------+
| libgnutls30 | CVE-2021-20231 | CRITICAL | 3.6.7-4+deb10u6 | 3.6.7-4+deb10u7 | gnutls: Use after free in |
| | | | | | client key_share extension |

•         +------------------+          +                   +                 +--------------------------------+
  

| | CVE-2021-20232 | | | | gnutls: Use after free |
| | | | | | in client_send_params in |
| | | | | | lib/ext/pre_shared_key.c |
+-------------+------------------+----------+-------------------+-----------------+--------------------------------+

[tiangolo]

This seems to be related to something you had installed. 🤔

Anyway, just in case, now that Uvicorn supports managing workers with --workers, including restarting dead ones, there's no need for Gunicorn. That also means that it's much simpler to build a Docker image from scratch now, I updated the docs to explain it.

Because of that, I deprecated this Docker image: https://github.com/tiangolo/uvicorn-gunicorn-fastapi-docker#-warning-you-probably-dont-need-this-docker-image