Update openssl to 3.0.7 due to security vulnerabilities

[seba90]

Openssl from version 3.0 has a security vulnerability Link We are using the latest docker image release from MariaDB and the image still uses openssl 3.0.2. Are you intending to update soon ?

[yosifkit]

$ docker pull mariadb:latest
latest: Pulling from library/mariadb
e96e057aae67: Pull complete 
13360dd5ccba: Pull complete 
a7faf2e389f4: Pull complete 
dff396cb19fe: Pull complete 
e9f37cc3e4aa: Pull complete 
c08d9a146853: Pull complete 
7b24ce4edb73: Pull complete 
eb9aeeef9842: Pull complete 
ccfe27382d40: Pull complete 
b793b98f634e: Pull complete 
1f1ce5b27f82: Pull complete 
Digest: sha256:bb39098029f443e8b02a1736c3cb4be1c5d6663a8355d4f9eb0b05693df4b9a0
Status: Downloaded newer image for mariadb:latest
docker.io/library/mariadb:latest
$ docker run -it --rm mariadb:latest bash
root@305f491e1166:/# dpkg -l | grep openssl
ii  openssl                   3.0.2-0ubuntu1.7                        amd64        Secure Sockets Layer toolkit - cryptographic utility
root@305f491e1166:/# apt update
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]      
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [114 kB]        
Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [579 kB]
Get:6 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [757 kB]
Get:7 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [4644 B]
Get:8 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [480 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]     
Get:3 https://archive.mariadb.org/mariadb-10.9.3/repo/ubuntu jammy InRelease [7767 B]
Get:10 https://archive.mariadb.org/mariadb-10.9.3/repo/ubuntu jammy/main amd64 Packages [19.1 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:14 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [528 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [16.9 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [881 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [940 kB]
Get:19 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [7290 B]
Get:20 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [3175 B]
Fetched 24.5 MB in 9s (2720 kB/s)                                              
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@305f491e1166:/# apt list --upgradable
Listing... Done
libsqlite3-0/jammy-updates,jammy-security 3.37.2-2ubuntu0.1 amd64 [upgradable from: 3.37.2-2]
tzdata/jammy-updates,jammy-security 2022f-0ubuntu0.22.04.0 all [upgradable from: 2022e-0ubuntu0.22.04.0]

There are no updates available for openssl. The images were already rebuilt to get the newest version: https://github.com/docker-library/official-images/pull/13457. 3.0.2-0ubuntu1.7 is the version with the fix: https://ubuntu.com/security/CVE-2022-3786