CVE-2022-0778 libcrypto/libssl

[corstuur]

There is a new vulnerability in openssl. https://avd.aquasec.com/nvd/2022/cve-2022-0778/

The alpine image is vulnerable to this. Is it possible to update the base image and latest tag?

[TomHellier]

@ncopa @CosmicToast @sourcecode-glitch is is possible to get a new image pushed out soon?

[ncopa]

Im working on it

[jiasli]

Thank you so much @ncopa for the prompt response. I saw:

https://alpinelinux.org/posts/Alpine-3.15.1-released.html

This release includes a fix for openssl CVE-2022-0778.

[corstuur]

Thanks for the fixes @ncopa unfortunately it seems that there is another package that just received a fix.

Our vulnerability scanner now detects libretls to be vulnerable with the same vulnerability. I suppose this has been updated after the new version has been build. Can this new version of libretls also be implemented in the latest tag?

[cristtopher]

Bump alpine from 3.15.0 to 3.15.1 don't work for me. The issue is still there.

[TomHellier]

@ncopa are you aware this is still an issue (libretls) is now causing an error instead of libssl

[Momotoculteur]

+1 @corstuur, same issue for me

[post-svejk]

According to Snyk, https://security.snyk.io/vuln/SNYK-ALPINE315-LIBRETLS-2428776, the solution is just to update libretls. So a workaround appears to be:

RUN apk add --no-cache <OTHER PACKAGES> ... 'libretls>=3.3.4-r3' 

added to your Dockerfile.

[hairyhenderson]

@post-svejk that approach would probably work with previous versions of Alpine too. This issue is more about the CVE being detected in the image.

The main problem is that Alpine 3.15.1 seems to have been released before libretls 3.3.4-r3 was released. I don't think this is an issue that can be solved in this repo - it'll probably need to be solved upstream in the Alpine project.

Thankfully, there is an issue already upstream, and it appears that 3.15.2 will be released today: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13623

[ncopa]

https://github.com/docker-library/official-images/pull/12103

Fix is on the way. Sorry for missing libretls and for taking so long to fix.

[ncopa]

I believe this is resolved now.

[spearki]

@ncopa I still see a pending update for libretls on the alpine:3.14.4 tag -- I think that needs a bump too?

[ncopa]

Seems so yes. Will take care of that. There is also an incoming fix for zlib so we need to make a 3.14.5 release anyway.

[ncopa]

should be fixed with https://github.com/docker-library/official-images/pull/12138

[eli-darkly]

@ncopa What is the process for these patches getting pushed to DockerHub? Should I just be watching that PR and assume that an image will be available shortly after it's merged?

[ncopa]

@ncopa What is the process for these patches getting pushed to DockerHub? Should I just be watching that PR and assume that an image will be available shortly after it's merged?

Yes. It should be available soon after its merged.