Upgrade liberica-openjdk-alpine:21 to Alpine 3.18.5 to address OpenSSL CVEs

Question

Upgrade liberica-openjdk-alpine:21 to Alpine 3.18.5 to address OpenSSL CVEs

frankgrimes97 opened this issue a year ago · 4 comments

The last published Liberica Alpine docker image appears to still be using Alpine 3.18.4:

$ docker run -it bellsoft/liberica-openjdk-alpine:21
Unable to find image 'bellsoft/liberica-openjdk-alpine:21' locally
21: Pulling from bellsoft/liberica-openjdk-alpine
579b34f0a95b: Already exists 
4755b14f7226: Pull complete 
5d5ba4767500: Pull complete 
Digest: sha256:5c27a4ad0581897d5dcf8ccf74046c094740fc2d158bdb860cdcb61ffe11fb0b
Status: Downloaded newer image for bellsoft/liberica-openjdk-alpine:21
/ # cat /etc/alpine-release 
3.18.4

Alpine 3.18.5 was recently released: https://www.alpinelinux.org/posts/Alpine-3.15.11-3.16.8-3.17.6-3.18.5-released.html
It includes fixes for the following two OpenSSL CVEs:

$ docker run -it alpine:3.18
Unable to find image 'alpine:3.18' locally
3.18: Pulling from library/alpine
2c03dbb20264: Pull complete 
Digest: sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0
Status: Downloaded newer image for alpine:3.18
/ # cat /etc/alpine-release 
3.18.5

Answer 1 · 2023-12-18T13:49:27.000Z

@morgion Any plans to publish a new image? Thanks!

Answer 2 · 2023-12-19T06:34:49.000Z

@frankgrimes97 In January release. Meanwhile, we recommend Liberica Runtime Container which has this vulnerability addressed.

Answer 3 · 2023-12-19T19:41:28.000Z

@frankgrimes97 In January release. Meanwhile, we recommend Liberica Runtime Container which has this vulnerability addressed.

Taking a look at the Liberica Runtime Container images and there don't yet appear to be linux/arm64 versions available like there are for bellsoft/liberica-openjdk-alpine.
Are there plans to add some in the near future?

Answer 4 · 2024-01-19T13:59:52.000Z

I see that the base image is now alpine-3.19.0 which has no known CVE vulnerabilities so closing this issue:

$ docker run -it --rm bellsoft/liberica-openjdk-alpine:21
Unable to find image 'bellsoft/liberica-openjdk-alpine:21' locally
21: Pulling from bellsoft/liberica-openjdk-alpine
c30352492317: Pull complete 
309bdb032224: Pull complete 
16e792870322: Pull complete 
Digest: sha256:f6ab9bfb862755066db48d2d0cd222bcc7061228ad7cfc7bcfcfd9de74bf3fb4
Status: Downloaded newer image for bellsoft/liberica-openjdk-alpine:21
/ # cat /etc/alpine-release 
3.19.0