yosifkit
commented
1 year ago For the Debian based images we install openssl from Debian packages:
1.1.1n-0+deb11u4 is the newest available openssl package for Bullseye and it has all relevant CVE fixes applied: https://security-tracker.debian.org/tracker/source-package/openssl
$ docker run -it --rm httpd bash
Unable to find image 'httpd:latest' locally
latest: Pulling from library/httpd
3f9582a2cbe7: Already exists
9423d69c3be7: Pull complete
d1f584c02b5d: Pull complete
758a20a64707: Pull complete
08507f82f391: Pull complete
Digest: sha256:76618ddd53f315a1436a56dc84ad57032e1b2123f2f6489ce9c575c4b280c4f4
Status: Downloaded newer image for httpd:latest
root@52b50c86ca83:/usr/local/apache2# dpkg -l | grep openssl
ii openssl 1.1.1n-0+deb11u4 amd64 Secure Sockets Layer toolkit - cryptographic utilityThe Alpine package is also as up to date as we have available.
The openssl packages in both Debian and Alpine are already built to address all known vulnerabilities. The respective security teams often make CVE fixes via a backported patch (i.e. just applying the fix without including the rest of an upstream version bump). The Nessus report is incorrect; it can't just version compare and must take into account system packagers doing backport fixes.
nomadme
Hello, is there any plan on updating to OpenSSL 1.1.1t?
There are Nessus vulnerability reports hitting our servers with the OpenSSL 1.1.1 < 1.1.1t Multiple Vulnerabilities (171079).