Containers: How to best deal with the unfixed security vulnerabilities in the Nvidia CUDA base image

[adhusch]

Hello,

i had a look to the SBOMs and vulnerabilits of the recent llama.cpp-server-cuda images.

It turns out they contain a relativly large list of medium level CVEs stemming from the nvidia/cuda:${CUDA_VERSION}-runtime-ubuntu${UBUNTU_VERSION} base image (currently resolving to nvidia/cuda:12.4.0-runtime-ubuntu22.04, which was last updated 20 months ago). It seems nvidia is not keeping legacy version container images up-to-date at all?

For all of the medium level CVEs, fixed versions exist (since long), hower they were never applied.

What would be the best way forward here? What about simply adding a RUN apt-get update && apt-get -y upgrade into the run container section of the cuda.Dockerfile (e.g. line 40), as nvidia is not providing it in the base?

Thank you!
Best

[Djip007]

On this nvidia container with lot of proprietary part, update may not work and can break CUDA install. If cuda is intall with apt repo it will be update too on more resent install, and if not, all CVE that is related to CUDA depend will remain...

If the container is not updated weekly by its owner, it should not be used in production (and may be not at all ;) ).

Sorry you need to report it to NVIDIA if this CUDA release is needed, or get a never one.

Do we need to use this old release?