Closed arunsai271 closed 2 years ago
Looks like freetype
on Alpine is waiting on https://gitlab.alpinelinux.org/alpine/aports/-/issues/13777
The Debian variant is still vulnerable on the stable releases https://security-tracker.debian.org/tracker/CVE-2022-27404 The Debian security team also considers it a minor issue
Just installing openjdk8-jre
from Alpine's apk
packages is unrelated to the images maintained here.
The openjdk:8-jre-alpine
image not been updated in 3 years (https://github.com/docker-library/openjdk/pull/322 and https://github.com/docker-library/openjdk/issues/272).
Hi Team,
I use openjdk8-jre alpine image for my java application as you can see in the below configuration, On April-03, 2022, CVE Issue - https://nvd.nist.gov/vuln/detail/CVE-2022-27404#vulnCurrentDescriptionTitle is published and I'm trying to delete freetype package from the container but it's not allowing since freetype package is dependent of openjdk8-jre.(I get the below snaphsot 1.1 result when i try to remove from the container). Event I tried to upgrade the freetype package to higher version, but unfortunately the freetype-2.11.1-r0 is the latest version alpine3.15.4 can support and not able to upgrade to higher version which is having no vulnerability. (Please find the Image 1.2 below for reference)
Image1.1![image](https://user-images.githubusercontent.com/52828333/166908094-b7a05eba-86c7-4b78-8c96-bf7d7326a539.png)
Image1.2![image](https://user-images.githubusercontent.com/52828333/166908710-e6b3293c-8267-40ba-a2aa-967a9078aaff.png)
Docker File: