Closed vihangm closed 1 year ago
Thanks for the report. I've updated the build-from-source flavors and pushing it through CI/CD. I've also upgraded the build-from-source alpine to the latest. This push will rebuild the build-from-source so that alpine-apk
will have fresh, tagged release as well.
Unfortunately for the built-from-upstream
images, they still use alpine 3.15.8
which has OpenSSL 1.1.1t-r3
preinstalled.
Running apk upgrade libssl1.1 libcrypto1.1
explicitly does upgrade it to OpenSSL 1.1.1u-r1
but I believe that needs to be an explicit step in the Dockerfile.
Maybe it's worth running a apk upgrade
after the apk update
(and similar apt-get upgrade
for the debian/ubuntu images) to upgrade all the pre-installed packages?
Nevermind, alpine 3.15.9
was released earlier today and that upgrades the default included OpenSSL version.
The newest image https://hub.docker.com/layers/openresty/openresty/alpine-apk-amd64/images/sha256-2259f28de01f85c22e32b6964254a4551c54a1d554cd4b5f1615d7497e1a09ce uses OpenSSL 1.1.1u
CVE-2023-2650 affects OpenSSL versions below
1.1.1u
and the current installed version in the docker images is1.1.1t-r3
The alpine-apk images should have
1.1.1u
available viaapk upgrade
. I haven't checked the other distros for availability, but it would be nice to get a new set of images that address this CVE.