search

alpinelinux / docker-alpine

Official Alpine Linux Docker image. Win at minimalism!
MIT License
1.04k stars 261 forks source link

Update libcrypto3/libssl3 to fix CVE-2023-2975 #333

Closed k725 closed 11 months ago

k725 commented 11 months ago

It looks like #328. I would appreciate it if you could update the base image.

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-2975 │ LOW      │ 3.1.1-r1          │ 3.1.1-r2      │ Issue summary: The AES-SIV cipher implementation contains a │
│            │               │          │                   │               │ bug that c ......                                           │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2975                   │
├────────────┤               │          │                   │               │                                                             │
│ libssl3    │               │          │                   │               │                                                             │
│            │               │          │                   │               │                                                             │
│            │               │          │                   │               │                                                             │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
philipleetaylor commented 11 months ago

We need libcrypto3 upgraded to 3.1.1-r3 now to fix yet another CVE:

philipleetaylor commented 11 months ago

Both of these CVEs have been upgraded to medium risk.

k725 commented 11 months ago

This issue has been fixed in 3.18.3 (latest).