search

docker-library / openjdk

Docker Official Image packaging for EA builds of OpenJDK from Oracle
http://openjdk.java.net
MIT License
1.14k stars 471 forks source link

Security vulnerability issue #489

Closed Brucexie11 closed 2 years ago

Brucexie11 commented 2 years ago

Hi, we are using base image openjdk:latest. Our Grype scan indicated the following vulnerability issue. May I ask when the new version of openjdk will be release to fix this issue? or is there a workaround? Thanks, Bruce Xie

FROM public.ecr.aws/docker/library/openjdk:latest

Start scanning for image '87f2536d62e372f33b656f2c2f44482ba99e96b1:latest' NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY gnutls 3.6.16-4.el8 10:3.6.16-4.0.1.el8_fips ELSA-2022-9221 Medium

yosifkit commented 2 years ago

openjdk:latest (aka openjdk:17.0.2-jdk-oraclelinux8) is based on Oracle Linux 8 (slim). Those were updated just a couple days ago with https://github.com/docker-library/official-images/pull/12108 and so all official-images from them were rebuilt very recently. I've pulled the image fresh and there are not any packages to be updated even though the gnutls version appears to be the older version:

docker run -it --rm openjdk:latest bash
bash-4.4# rpm -qa | grep gnutls
gnutls-3.6.16-4.el8.x86_64
bash-4.4# microdnf upgrade -y
Downloading metadata...
Downloading metadata...
Nothing to do.
bash-4.4#
Brucexie11 commented 2 years ago

yosifkit,

Do we have plan to fix it?

Thanks,

Bruce

tianon commented 2 years ago

With no package updates available, there's nothing we can do about this -- any update on this will come from Oracle.