How to resolve freetype package critical vulnerability in openjdk8-jre base image?

[arunsai271]

Hi Team,

I use openjdk8-jre alpine image for my java application as you can see in the below configuration, On April-03, 2022, CVE Issue - https://nvd.nist.gov/vuln/detail/CVE-2022-27404#vulnCurrentDescriptionTitle is published and I'm trying to delete freetype package from the container but it's not allowing since freetype package is dependent of openjdk8-jre.(I get the below snaphsot 1.1 result when i try to remove from the container). Event I tried to upgrade the freetype package to higher version, but unfortunately the freetype-2.11.1-r0 is the latest version alpine3.15.4 can support and not able to upgrade to higher version which is having no vulnerability. (Please find the Image 1.2 below for reference)

Image1.1

Image1.2

Docker File:

#Install openjdk8-jre with alpine:3.15.4
FROM alpine:3.15.4
RUN apk add openjdk8-jre
ENV JAVA_HOME=/usr/lib/jvm/java-1.8-openjdk

ARG JAR_FILE=target/*.jar
COPY ${JAR_FILE} test.jar
CMD ["java","-jar","test.jar"]

[wglambert]

Looks like freetype on Alpine is waiting on https://gitlab.alpinelinux.org/alpine/aports/-/issues/13777

The Debian variant is still vulnerable on the stable releases https://security-tracker.debian.org/tracker/CVE-2022-27404 The Debian security team also considers it a minor issue

[yosifkit]

Just installing openjdk8-jre from Alpine's apk packages is unrelated to the images maintained here.

The openjdk:8-jre-alpine image not been updated in 3 years (https://github.com/docker-library/openjdk/pull/322 and https://github.com/docker-library/openjdk/issues/272).