Please update the images in Dockerhub ? :)

Question

Please update the images in Dockerhub ? :)

Closed this issue 2 years ago · 4 comments

alexku7 commented 2 years ago

Hello
Any chance to get the images updated in the Dockerhub ? It was updated 5 month ago

2 reasons:

the PR #106. has been merged but the images is still old. Without that PR the google authentication is blocked :(
The portal is vulnerable to critical CVE-2022-3602. It's running vulnerable openSSL tool/lib. Must be upgraded asap

Thank you

Answer 1 · 2022-11-19T20:13:04.000Z

Thanks @alexku7 . A new trainingportal image was published today.

Answer 2 · 2022-11-22T16:56:06.000Z

Thanks @alexku7 . A new trainingportal image was published today.

Hi @paul-ion
Unfortunately the insecure.inc image has the vulnerable openssl package with RCA vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-3602

Amy chance to rebuild it as well?

Answer 3 · 2022-11-22T21:00:06.000Z

Hi @alexku7,

The tomcat base image does not allow upgrade to openssl 3.0.7.

Building dependency tree... Done Reading state information... Done openssl is already the newest version (3.0.2-0ubuntu1.7).

However please note that tomcat does not use OpenSSL. Tomcat uses the JRE security library.

Also note that the CVE-2022-3602 has been downgraded to a lower severity (7.5 High) by OpenSSL and is estimated to have limited impact on Linux systems due to stack protections. You can read more on the OpenSSL blog

Answer 4 · 2022-11-23T08:38:56.000Z

Thank you @paul-ion
I got it :)