Upgrade OpenSSL to 1.1.1u

[vihangm]

CVE-2023-2650 affects OpenSSL versions below 1.1.1u and the current installed version in the docker images is 1.1.1t-r3

The alpine-apk images should have 1.1.1u available via apk upgrade. I haven't checked the other distros for availability, but it would be nice to get a new set of images that address this CVE.

[neomantra]

Thanks for the report. I've updated the build-from-source flavors and pushing it through CI/CD. I've also upgraded the build-from-source alpine to the latest. This push will rebuild the build-from-source so that alpine-apk will have fresh, tagged release as well.

[vihangm]

Unfortunately for the built-from-upstream images, they still use alpine 3.15.8 which has OpenSSL 1.1.1t-r3 preinstalled. Running apk upgrade libssl1.1 libcrypto1.1 explicitly does upgrade it to OpenSSL 1.1.1u-r1 but I believe that needs to be an explicit step in the Dockerfile.

Maybe it's worth running a apk upgrade after the apk update (and similar apt-get upgrade for the debian/ubuntu images) to upgrade all the pre-installed packages?

[vihangm]

Nevermind, alpine 3.15.9 was released earlier today and that upgrades the default included OpenSSL version.

The newest image https://hub.docker.com/layers/openresty/openresty/alpine-apk-amd64/images/sha256-2259f28de01f85c22e32b6964254a4551c54a1d554cd4b5f1615d7497e1a09ce uses OpenSSL 1.1.1u