search

docker-library / golang

Docker Official Image packaging for golang
https://golang.org
BSD 3-Clause "New" or "Revised" License
1.48k stars 510 forks source link

Golang 1.20.5 openssl vulnerabilities #465

Closed anjankow closed 1 year ago

anjankow commented 1 year ago

golang 1.20.5 images use debian/openssl in version 1.1.1n-0+deb11u4 which is affected by CVE-2023-2650⁠ and CVE-2023-0464 vulnerabilities (among others).

These vulnerabilities have been fixed in version 1.1.1n-0+deb11u5.

Could the version be updated in the golang image too?

yosifkit commented 1 year ago

The default 1.20 is now Bookworm based (and so is OpenSSL 3.0) and the Bullseye images have also been rebuilt via https://github.com/docker-library/official-images/pull/14832:

https://hub.docker.com/layers/library/golang/1.20-bullseye/images/sha256-d319a1d4ce390c1222f8cf270c1a8b0d6c898c7658f5ec2a3ebdb1254895da18?context=explore