Closed omni-htg closed 5 months ago
@gdams Is this something DockerHub will automatically move to?
I ran docker scout on this eclipse-temurin:17-jre-alpine and found 2 security issues.
There is a vulnerability for the base image alpine 3.18
solution: please upgrade to alpine 3.19
I dont think dockerhub will update to 3.19.0 with their updating as the repo here pins to 3.18
https://github.com/adoptium/containers/blob/main/17/jre/alpine/Dockerfile#L20
The next few days the next JDK patchcycle is up (e: ah here it is https://github.com/adoptium/containers/pull/475), that would be an opportunity (or risk) to switch at the same time? The config comes through here https://github.com/adoptium/containers/blob/main/config/hotspot.yml#L46, let me submit a PR and see if you want to merge it to switch to 3.19 around the time next JDK patches are coming up
There is a vulnerability for the base image alpine 3.18
That surprises me somewhat since Alpine 3.18 should be supported for the purposes of security fixes until May 2025 so I wonder if something else is missing from the process here.
That surprises me somewhat since Alpine 3.18 should be supported for the purposes of security fixes until May 2025 so I wonder if something else is missing from the process here.
That is true -- the core image might be a bit old, but a simple update should bring in the security fixes. While this means there is no "need" to upgrade (from the perspective of "vulnerabilities"), it does help to bring the images closer to "latest".
In the PR conversation, @gdams also provided some insight on their decision to upgrade instead of releasing a new tag:
We have always aimed to follow the latest Alpine version otherwise we would end up maintaining a vast number of tags. The other risk is that a user relying on 8-alpine.3.18 might assume that they are still getting the latest Java version/security fixes which they wouldn't.
There is a vulnerability for the base image alpine 3.18
That surprises me somewhat since Alpine 3.18 should be supported for the purposes of security fixes until May 2025 so I wonder if something else is missing from the process here.
The mentioned vulnerabilities are likely CVE-2023-6129 (only on powerpc) & CVE-2023-6237 (published 3 days ago)
which are also present in the current tag 3.18
-> https://hub.docker.com/layers/library/alpine/3.18/images/sha256-d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389?context=explore
the tag is 2 months old, i.e. not updated, which explains why the temurin-images were not rebuilt by DockerHub.
Why that tag is as old as it is and has not been rebuilt for 2 months does seem surprising indeed.
the tag is 2 months old, i.e. not updated, which explains why the temurin-images were not rebuilt by DockerHub. Why that tag is as old as it is and has not been rebuilt for 2 months does seem surprising indeed.
Yeah that sounds like something we should check with dockerhub to ensure we have the suitable processes going forward - or whether it's a fault in the dockerhub process that 3.18 hasn't been updated.
is there an ETA when the tags get updated in DockerHub after the code for the Dockerfiles changed here? The PR was merged 3 days ago, I assumed that the tags would be updated the night/morning/day after or so, but the latest alpine image tags remain from 2 months ago
https://hub.docker.com/_/eclipse-temurin/tags?page=1&name=alpine
I may be mistaken here -- don't both alpine
and eclipse-temurin
need to have a new pull request approved in https://github.com/docker-library/official-images for a new image to be pushed to DockerHub?
I believe gdams is on it for adoptium right now, but that would explain the delay from alpine.
https://github.com/docker-library/official-images/pull/16093/files I think will force it CC @gdams
Hello there, Adoptium team.
Alpine 3.19 was released on December 7th*.
Are there plans to upgrade the Alpine images to it, or maybe release it as a separate tag?
Thank you!
EDIT: Fixed release date 1/12 -> 7/12.