CVE-2023-379 on docker image for deepstream 6.2

Hi, we are using nvcr.io/nvidia/deepstream:6.2-triton as our base image, and we’re getting a vulnerability on a package called certifi. Details below :

We did try to upgrade the version, but the older version seems to be getting picked up when we do a vulnerability scan. Are there any fixes for this? Since it’s a production system, we were hoping for some fixes for CVE’s

Can you share us something information about your company and the project?

NVD - CVE-2023-37920 shows it is published in 07/25/2023 while DeepStream 6.2 is released much earlier.

DeepStream does not install any package specific to Python in its docker. It is possible that vuln may be coming because of base image Triton / Ubuntu distribution itself.

The DeepStream dockerfile is open source NVIDIA-AI-IOT/deepstream_dockers: A project demonstrating how to make DeepStream docker images. (github.com), you can patch the docker to match CVE.

@vsunil Can you tell us your company and the information about your project?

There is no update from you for a period, assuming this is not an issue anymore. Hence we are closing this topic. If need further support, please open a new one. Thanks

@vsunil There is a solution to resolve the CVE vulnerability issue. Please refer to IMPORTANT NOTICE for DeepStream 6.3 Developers for the steps.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.