Update GLIBC version in liberica-openjre-alpine images - Githubissues

bell-sw / Liberica

Free and 100% open source Progressive Java Runtime for modern Java™ deployments supported by a leading OpenJDK contributor

https://bell-sw.com/pages/libericajdk/

GNU General Public License v2.0

330 stars 28 forks source link

Update GLIBC version in liberica-openjre-alpine images #199

Open solveme opened 2 weeks ago

solveme commented 2 weeks ago

Currently liberica-openjre-alpine images is built using hardcoded GLIBC version:

FROM debian:10-slim as glibc-base

ARG GLIBC_VERSION=2.28
ARG GLIBC_PREFIX=/usr/glibc
ARG LANG=en_US.UTF-8

As it turned out 2.28 is affected by multiple CVEs, few of them: https://nvd.nist.gov/vuln/detail/cve-2019-9169 https://nvd.nist.gov/vuln/detail/CVE-2023-0687 https://nvd.nist.gov/vuln/detail/CVE-2023-0687 https://nvd.nist.gov/vuln/detail/CVE-2022-23219 https://nvd.nist.gov/vuln/detail/CVE-2022-23218

So it would be nice to use fresh releases of GLIBC in docker images.

voitylov commented 2 weeks ago

You definitely have a point.

That said, have you tried liberica-runtime-container [1] which has both flavors (musl and glibc)? Is there a use case that I'm probably missing which requires the glibc overlay and can't run in liberica-runtime-container?

If there is an important use case that we have not considered with liberica-runtime-container I would like to better understand it as overall I'm inclined to deprecate the glibc variant of liberica-openjdk-alpine and liberica-openjre-alpine.

[1] https://hub.docker.com/r/bellsoft/liberica-runtime-container