search

bell-sw / Liberica

Free and 100% open source Progressive Java Runtime for modern Java™ deployments supported by a leading OpenJDK contributor
https://bell-sw.com/pages/libericajdk/
GNU General Public License v2.0
318 stars 29 forks source link

Upgrade liberica-openjdk-alpine:21 to Alpine 3.20.3 to address CVEs #189

Closed frankgrimes97 closed 1 week ago

frankgrimes97 commented 3 weeks ago

The latest published Liberica Alpine docker image appears to still be using Alpine 3.20.2.

$ docker run -it --rm bellsoft/liberica-openjdk-alpine:21
Unable to find image 'bellsoft/liberica-openjdk-alpine:21' locally
21: Pulling from bellsoft/liberica-openjdk-alpine
690e87867337: Pull complete 
89fe5f764de0: Pull complete 
38fc32da7795: Pull complete 
Digest: sha256:ee40d83d93023b804847568d847e6540799091bd1b61322f8272de2ef369aa8b
Status: Downloaded newer image for bellsoft/liberica-openjdk-alpine:21
/ # cat /etc/alpine-release 
3.20.2

Alpine 3.20.3 was recently released: https://www.alpinelinux.org/posts/Alpine-3.17.10-3.18.9-3.19.4-3.20.3-released.html

It includes fixes for the following two OpenSSL CVE:

$ docker run -it --rm alpine:3.20
Unable to find image 'alpine:3.20' locally
3.20: Pulling from library/alpine
cf04c63912e1: Pull complete 
Digest: sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
Status: Downloaded newer image for alpine:3.20
/ # cat /etc/alpine-release 
3.20.3

Thanks!

frankgrimes97 commented 1 week ago

It looks like this has now been upgraded:

$ docker run -it --rm bellsoft/liberica-openjdk-alpine:21
Unable to find image 'bellsoft/liberica-openjdk-alpine:21' locally
21: Pulling from bellsoft/liberica-openjdk-alpine
cf04c63912e1: Already exists 
2e3473893452: Pull complete 
488fe963273a: Pull complete 
Digest: sha256:f8127c3f1a004c505c721d5b5dc5d2b21700993167d13b0ecfa8e43eed9823be
Status: Downloaded newer image for bellsoft/liberica-openjdk-alpine:21
/ # cat /etc/alpine-release 
3.20.3