To upgrade openssl version to 1.1.1t on httpd:2.4.56

docker-library / httpd

Docker Official Image packaging for Apache HTTP Server

https://httpd.apache.org

Apache License 2.0

310 stars 345 forks source link

To upgrade openssl version to 1.1.1t on httpd:2.4.56 #228

Closed adadande closed 1 year ago

adadande commented 1 year ago

How can we update openssl vesrion to OpenSSL 1.1.1t on Apache httpd:2.4.56 docker image

tianon commented 1 year ago

The version of OpenSSL in this image comes from Debian -- the Debian maintainers are very proactive at applying security fixes to it (even though they don't typically apply the upstream version updates directly so the version number is still lower).

adadande commented 1 year ago

Can we reinstall the openSSL on the docker image in DockerFile with something like this

correct me if its wrong

FROM httpd:2.4.56 EXPOSE 8080 8443 RUN apt update \ && apt upgrade -y \ && apt install -y libcap2-bin procps wget make libtext-roman-perl \ && setcap 'cap_net_bind_service=+ep' /usr/local/apache2/bin/httpd \ && apt -y remove openssl \ && wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz \ && tar -xzvf openssl-1.1.1t.tar.gz \ && cd openssl-1.1.1t \ && ./config \ && make install \ && ln -sf /usr/local/ssl/bin/openssl 'which openssl' COPY dist/ /usr/local/apache2/htdocs/ RUN chmod -R 777 /usr/local/apache2/

yosifkit commented 1 year ago

We will not be installing openssl from source for the httpd image. We will continue to rely on Debian packages.

If there is a specific CVE that you want to know when the fix was backported, you can check here to see which versions have it. (Your security scanning solution should already be doing this and should not be warning you about CVEs that are already fixed; it is a false positive and should be reported to them as such)

adadande commented 1 year ago

this requirement with respect to CVE-2023-0215 https://nvd.nist.gov/vuln/detail/CVE-2023-0215

yosifkit commented 1 year ago

It has already been fixed in Debian packages: https://security-tracker.debian.org/tracker/CVE-2023-0215. So, version 1.1.1n-0+deb11u4 in Debian Bullseye includes the fix for that particular CVE and is the one installed in the image:

 $ docker run -it --rm httpd bash
Unable to find image 'httpd:latest' locally
latest: Pulling from library/httpd
f1f26f570256: Already exists
a6b093ae1967: Pull complete
6b400bbb27df: Pull complete
d9833ead928a: Pull complete
ace056404ed3: Pull complete
Digest: sha256:f3e9eb9acace5bbc13c924293d2247a65bb59b8f062bcd98cd87ee4e18f86733
Status: Downloaded newer image for httpd:latest
root@52a0b7580535:/usr/local/apache2# dpkg -l | grep openssl
ii  openssl                   1.1.1n-0+deb11u4               amd64        Secure Sockets Layer toolkit - cryptographic utility
root@52a0b7580535:/usr/local/apache2#