Fix CVE-2023-2650 in Alpine Docker images

Question

Fix CVE-2023-2650 in Alpine Docker images

DaniloHeide opened this issue 2 years ago · 3 comments

Hi Bellsoft Team,

thanks for the Docker images you provide.
I wanted to ask, if it would be possible for you, to integrate the fix for CVE-2023-2650 in your Alpine Linux images (ref. alpinelinux/docker-alpine#328)?

Thanks in advance!

Answer 1 · 2023-07-03T13:35:10.000Z

Seems to be resolved.
Thanks!

Answer 2 · 2023-07-10T16:57:38.000Z

@DaniloHeide In my testing it doesn't appear that the Liberica docker image has been updated with the latest Alpine OpenSSL CVE fixes

$ docker run -it bellsoft/liberica-openjdk-alpine:20
/ # apk list -I | grep libssl
...
libssl3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]

Here is the latest/fixed version of the upstream alpine-3.18 image (which I believe is 3.18.2 now)

$ docker run -it alpine:3.18
Unable to find image 'alpine:3.18' locally
3.18: Pulling from library/alpine
31e352740f53: Pull complete 
Digest: sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1
Status: Downloaded newer image for alpine:3.18
/ # apk list -I | grep libssl
...
libssl3-3.1.1-r1 x86_64 {openssl} (Apache-2.0) [installed]

Answer 3 · 2023-07-11T13:50:34.000Z

FYI, I opened a new issue to track this: #137