CVE-2024-0056 vulnerability in dotnet v4 image

[hctan]

I'm getting security CVE-2024-0056 vulnerability in security scan of the azure function dotnet v4 image. It's due to the image using outdated packages. Would the image be updated soon to use the updated packages?
I think this is similar issue to #1004 (for a different vulnerability)

[abegun]

I accidentally thought I saw this fixed in latest, but am still seeing it in 4.28.3

[hctan]

I was using the scanner that came with docker desktop, it's using docker Scout, I'm not sure of the version.

If I check in azure portal, under Container Registry -> Microsoft Defender for Cloud. One of the scanner that's marked deprecated "[Deprecated] Azure registry container images should have vulnerabilities resolved (powered by Qualys)" would show the same vulnerability.

However if I check the scan result under "Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)" then the same image is reported as healthy (no vulnerability).

I'm not sure why its not showing up on the latter one.

[Uriil]

We have similar problem but for CVE-2024-0057 issue. We are using AquaSec scanner, started failing today.

We are using mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0 image

[FinVamp1]

We have a fix coming for CVE-2024-0056 . We normally update the images once a week and I'll check and update this thread. For CVE-2024-0057 let me check into this.

[FinVamp1]

Hello, the fix for CVE-2024-0057 will roll out in the image for 4.31.1.