OpenSSL fix for CVE-2022-1292 in Debian.

[darwinmak11]

Would a new image be released to fix CVE-2022-1292

https://github.com/advisories/GHSA-qjmp-vmxc-7p8r https://security-tracker.debian.org/tracker/CVE-2022-1292

[wglambert]

It'll get updated on its regular monthly cadence. You can also manually update the package in your image if you wanted in the meantime https://github.com/docker-library/python/issues/728#issuecomment-1132025905

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[tianon]

https://github.com/docker-library/official-images/pull/12531 :+1: