bell-sw/Liberica

Upgrade liberica-openjdk-alpine:21 to Alpine 3.19.1 to address OpenSSL CVEs

frankgrimes97 opened this issue · 4 comments

frankgrimes97 commented

The last published Liberica Alpine docker image appears to still be using Alpine 3.19.1:

$ docker run -it --rm bellsoft/liberica-openjdk-alpine:21
Unable to find image 'bellsoft/liberica-openjdk-alpine:21' locally
21: Pulling from bellsoft/liberica-openjdk-alpine
c30352492317: Pull complete 
309bdb032224: Pull complete 
16e792870322: Pull complete 
Digest: sha256:f6ab9bfb862755066db48d2d0cd222bcc7061228ad7cfc7bcfcfd9de74bf3fb4
Status: Downloaded newer image for bellsoft/liberica-openjdk-alpine:21
/ # cat /etc/alpine-release 
3.19.0

Alpine 3.19.1 was recently released: https://www.alpinelinux.org/posts/Alpine-3.19.1-released.html
It includes fixes for the following three OpenSSL CVEs:

$ docker run -it --rm alpine:3.19
Unable to find image 'alpine:3.19' locally
3.19: Pulling from library/alpine
Digest: sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
Status: Downloaded newer image for alpine:3.19
/ # cat /etc/alpine-release 
3.19.1
voitylov commented

As a side note, liberica-runtime-container which is based on Alpaquita includes all relevant fixes:

One of the motivations for creating Alpaquita was that we update fast without waiting for some linux distro to update their packages.

  • 👍1
frankgrimes97 commented

The Liberica Runtime Container images don't yet appear to be available for linux/arm64.
Are there plans to publish arm64 images in the near future?
Until then we will need to continue using bellsoft/liberica-openjdk-alpine.

frankgrimes97 commented

@voitylov Any update on this? (I re-verified today and the published image is still on alpine-3.19.0)

voitylov commented

Yes:

$ docker run --rm -it bellsoft/liberica-openjdk-alpine cat /etc/os-release
......
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.19.1

  • 👍1