Upgrade liberica-openjdk-alpine:21 to Alpine 3.19.1 to address OpenSSL CVEs

[frankgrimes97]

The last published Liberica Alpine docker image appears to still be using Alpine 3.19.0:

$ docker run -it --rm bellsoft/liberica-openjdk-alpine:21
Unable to find image 'bellsoft/liberica-openjdk-alpine:21' locally
21: Pulling from bellsoft/liberica-openjdk-alpine
c30352492317: Pull complete 
309bdb032224: Pull complete 
16e792870322: Pull complete 
Digest: sha256:f6ab9bfb862755066db48d2d0cd222bcc7061228ad7cfc7bcfcfd9de74bf3fb4
Status: Downloaded newer image for bellsoft/liberica-openjdk-alpine:21
/ # cat /etc/alpine-release 
3.19.0

Alpine 3.19.1 was recently released: https://www.alpinelinux.org/posts/Alpine-3.19.1-released.html It includes fixes for the following three OpenSSL CVEs:

• https://security.alpinelinux.org/vuln/CVE-2023-6129
• https://security.alpinelinux.org/vuln/CVE-2023-6237
• https://security.alpinelinux.org/vuln/CVE-2024-0727

$ docker run -it --rm alpine:3.19
Unable to find image 'alpine:3.19' locally
3.19: Pulling from library/alpine
Digest: sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
Status: Downloaded newer image for alpine:3.19
/ # cat /etc/alpine-release 
3.19.1

[voitylov]

As a side note, liberica-runtime-container which is based on Alpaquita includes all relevant fixes:

• https://docs.bell-sw.com/security/cves/CVE-2023-6129/ - not affected, ppc only.
• https://docs.bell-sw.com/security/cves/CVE-2023-6237/ - fixed
• https://docs.bell-sw.com/security/cves/CVE-2024-0727/ - fixed

One of the motivations for creating Alpaquita was that we update fast without waiting for some linux distro to update their packages.

[frankgrimes97]

The Liberica Runtime Container images don't yet appear to be available for linux/arm64. Are there plans to publish arm64 images in the near future? Until then we will need to continue using bellsoft/liberica-openjdk-alpine.

[frankgrimes97]

@voitylov Any update on this? (I re-verified today and the published image is still on alpine-3.19.0)

[voitylov]

Yes:

$ docker run --rm -it bellsoft/liberica-openjdk-alpine cat /etc/os-release ...... NAME="Alpine Linux" ID=alpine VERSION_ID=3.19.1