neomantra
commented
2 years ago Thanks for the report! I am merging and releasing so the built-from-source have it. Once it lands upstream, I'll do another release for the built-from-package flavors.
Closed chrko closed 2 years ago
neomantra
commented
2 years ago Thanks for the report! I am merging and releasing so the built-from-source have it. Once it lands upstream, I'll do another release for the built-from-package flavors.
neomantra
commented
2 years ago This was released as 1.19.9.1-6. Thanks again. When upstream is ready, I'll rebuild the pre-built images and make another release.
chrko
commented
2 years ago @neomantra Ping. I only checked Debian, but package is uploaded 👌
neomantra
commented
2 years ago Thanks. It seems that the main distros amd64 are ready, but others aren't... will check again this evening ... might make a release for just amd64 if things haven't moved, given severity of the CVE.
| uploaded | dist | arch | pkg repo link |
|---|---|---|---|
| X | alpine | amd64 | https://openresty.org/package/alpine/v3.14/main/x86_64/ |
| X | debian | amd64 | https://openresty.org/package/debian/pool/openresty/o/openresty-openssl111/ |
| X | centos | amd64 | https://openresty.org/package/centos/8/x86_64/ |
| X | fedora | amd64 | https://openresty.org/package/fedora/34/x86_64/ |
| X | alpine | arm64 | https://openresty.org/package/alpine/v3.14/main/aarch64/ |
| X | debian | arm64 | https://openresty.org/package/arm64/debian/pool/openresty/o/openresty-openssl111/ |
| X | fedora | arm64 | https://openresty.org/package/fedora/34/aarch64/ |
| X | centos | arm64 | https://openresty.org/package/centos/8/aarch64/ |
I'm not sure of the link to see the CI/CD of these directly.
chrko
commented
2 years ago @neomantra I would appreciate a new release as I cannot see a clear timeline for the missing packages unfortunately.
neomantra
commented
2 years ago Good day -- a fresh release for those amd64 packages are in this repo's CI/CD as 1.19.9.1-7...
Just for you 😽 (and all the other x86 Linux OpenResty Docker users!)
Will be keeping an eye on the rest of these and ping upstream if they are still stuck after today.
neomantra
commented
2 years ago I just ran a review of the latest images. Notable is that the system libssl is still earlier versions.
I will see if an apt-get upgrade fixes that (which is not done intentionally, idea being to let the base image take care of that).
From an amd64 laptop:
$ for distro in bionic bullseye buster focal ; do echo "DISTRO: $distro" ; docker run --pull --rm --entrypoint=/bin/bash "openresty/openresty:1.19.9.1-7-$distro" -c "dpkg -l | grep ssl" ; done
DISTRO: bionic
ii libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.15 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.3.3+dfsg-2ubuntu1.2 amd64 fast lossless compression algorithm
ii openssl 1.1.1-1ubuntu2.1~18.04.15 amd64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: bullseye
ii libssl1.1:amd64 1.1.1k-1+deb11u2 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.4.8+dfsg-2.1 amd64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1n-1~bullseye1 amd64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1k-1+deb11u2 amd64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: buster
ii libssl1.1:amd64 1.1.1d-0+deb10u8 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.3.8+dfsg-3+deb10u2 amd64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1n-1~buster1 amd64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1d-0+deb10u8 amd64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: focal
ii libssl1.1:amd64 1.1.1f-1ubuntu2.12 amd64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:amd64 1.4.4+dfsg-3ubuntu0.1 amd64 fast lossless compression algorithm
ii openssl 1.1.1f-1ubuntu2.12 amd64 Secure Sockets Layer toolkit - cryptographic utilityFrom an arm64 laptop:
$ for distro in bionic bullseye buster focal ; do echo "DISTRO: $distro" ; docker run --rm --entrypoint=/bin/bash "openresty/openresty:1.19.9.1-7-$distro" -c "dpkg -l | grep ssl" ; done
DISTRO: bionic
ii libssl1.1:arm64 1.1.1-1ubuntu2.1~18.04.15 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.3.3+dfsg-2ubuntu1.2 arm64 fast lossless compression algorithm
ii openssl 1.1.1-1ubuntu2.1~18.04.15 arm64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: bullseye
ii libssl1.1:arm64 1.1.1k-1+deb11u2 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.4.8+dfsg-2.1 arm64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1l-1~bullseye1 arm64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1k-1+deb11u2 arm64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: buster
ii libssl1.1:arm64 1.1.1d-0+deb10u8 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.3.8+dfsg-3+deb10u2 arm64 fast lossless compression algorithm
ii openresty-openssl111 1.1.1l-1~buster1 arm64 OpenSSL 1.1.1 library for use by OpenResty ONLY
ii openssl 1.1.1d-0+deb10u8 arm64 Secure Sockets Layer toolkit - cryptographic utility
DISTRO: focal
ii libssl1.1:arm64 1.1.1f-1ubuntu2.12 arm64 Secure Sockets Layer toolkit - shared libraries
ii libzstd1:arm64 1.4.4+dfsg-3ubuntu0.1 arm64 fast lossless compression algorithm
ii openssl 1.1.1f-1ubuntu2.12 arm64 Secure Sockets Layer toolkit - cryptographic utilityOK, it looks like 1.1.1k-1+deb11u2 and 1.1.1d-0+deb10u8 fix that CVE, according to this Debian Security Advisory. So we are good there. The attempt to upgrade in those packages installed nothing, as expected.
neomantra
commented
2 years ago Upstream arm64 packages have landed, so making new release this morning...
neomantra
commented
2 years ago Released as 1.19.9.1-8
Today an OpenSSL security advisory was released: https://www.openssl.org/news/secadv/20220315.txt
Steps to provide secured images are from my perspective: