Closed chrko closed 2 years ago
Thanks for the report! I am merging and releasing so the built-from-source have it. Once it lands upstream, I'll do another release for the built-from-package flavors.
This was released as 1.19.9.1-6
. Thanks again. When upstream is ready, I'll rebuild the pre-built images and make another release.
@neomantra Ping. I only checked Debian, but package is uploaded 👌
Thanks. It seems that the main distros amd64
are ready, but others aren't... will check again this evening ... might make a release for just amd64
if things haven't moved, given severity of the CVE.
uploaded | dist | arch | pkg repo link |
---|---|---|---|
X | alpine | amd64 | https://openresty.org/package/alpine/v3.14/main/x86_64/ |
X | debian | amd64 | https://openresty.org/package/debian/pool/openresty/o/openresty-openssl111/ |
X | centos | amd64 | https://openresty.org/package/centos/8/x86_64/ |
X | fedora | amd64 | https://openresty.org/package/fedora/34/x86_64/ |
X | alpine | arm64 | https://openresty.org/package/alpine/v3.14/main/aarch64/ |
X | debian | arm64 | https://openresty.org/package/arm64/debian/pool/openresty/o/openresty-openssl111/ |
X | fedora | arm64 | https://openresty.org/package/fedora/34/aarch64/ |
X | centos | arm64 | https://openresty.org/package/centos/8/aarch64/ |
I'm not sure of the link to see the CI/CD of these directly.
@neomantra I would appreciate a new release as I cannot see a clear timeline for the missing packages unfortunately.
Good day -- a fresh release for those amd64
packages are in this repo's CI/CD as 1.19.9.1-7
...
Just for you 😽 (and all the other x86 Linux OpenResty Docker users!)
Will be keeping an eye on the rest of these and ping upstream if they are still stuck after today.
I just ran a review of the latest images. Notable is that the system libssl
is still earlier versions.
I will see if an apt-get upgrade
fixes that (which is not done intentionally, idea being to let the base image take care of that).
From an amd64
laptop:
$ for distro in bionic bullseye buster focal ; do echo "DISTRO: $distro" ; docker run --pull --rm --entrypoint=/bin/bash "openresty/openresty:1.19.9.1-7-$distro" -c "dpkg -l | grep ssl" ; done
DISTRO: bionic
ii libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.15 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.3.3+dfsg-2ubuntu1.2 amd64 fast lossless compression algorithm
ii openssl 1.1.1-1ubuntu2.1~18.04.15 amd64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: bullseye
ii libssl1.1:amd64 1.1.1k-1+deb11u2 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.4.8+dfsg-2.1 amd64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1n-1~bullseye1 amd64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1k-1+deb11u2 amd64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: buster
ii libssl1.1:amd64 1.1.1d-0+deb10u8 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.3.8+dfsg-3+deb10u2 amd64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1n-1~buster1 amd64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1d-0+deb10u8 amd64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: focal
ii libssl1.1:amd64 1.1.1f-1ubuntu2.12 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.4.4+dfsg-3ubuntu0.1 amd64 fast lossless compression algorithm
ii openssl 1.1.1f-1ubuntu2.12 amd64 Secure Sockets Layer toolkit - cryptographic utility
From an arm64
laptop:
$ for distro in bionic bullseye buster focal ; do echo "DISTRO: $distro" ; docker run --rm --entrypoint=/bin/bash "openresty/openresty:1.19.9.1-7-$distro" -c "dpkg -l | grep ssl" ; done
DISTRO: bionic
ii libssl1.1:arm64 1.1.1-1ubuntu2.1~18.04.15 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.3.3+dfsg-2ubuntu1.2 arm64 fast lossless compression algorithm
ii openssl 1.1.1-1ubuntu2.1~18.04.15 arm64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: bullseye
ii libssl1.1:arm64 1.1.1k-1+deb11u2 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.4.8+dfsg-2.1 arm64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1l-1~bullseye1 arm64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1k-1+deb11u2 arm64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: buster
ii libssl1.1:arm64 1.1.1d-0+deb10u8 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.3.8+dfsg-3+deb10u2 arm64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1l-1~buster1 arm64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1d-0+deb10u8 arm64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: focal
ii libssl1.1:arm64 1.1.1f-1ubuntu2.12 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.4.4+dfsg-3ubuntu0.1 arm64 fast lossless compression algorithm
ii openssl 1.1.1f-1ubuntu2.12 arm64 Secure Sockets Layer toolkit - cryptographic utility
OK, it looks like 1.1.1k-1+deb11u2
and 1.1.1d-0+deb10u8
fix that CVE, according to this Debian Security Advisory. So we are good there. The attempt to upgrade in those packages installed nothing, as expected.
Upstream arm64
packages have landed, so making new release this morning...
Released as 1.19.9.1-8
Today an OpenSSL security advisory was released: https://www.openssl.org/news/secadv/20220315.txt
Steps to provide secured images are from my perspective: