To upgrade openssl version to 1.1.1t on httpd:2.4.56

Question

To upgrade openssl version to 1.1.1t on httpd:2.4.56

adadande opened this issue a year ago · 5 comments

How can we update openssl vesrion to OpenSSL 1.1.1t on Apache httpd:2.4.56 docker image

Answer 1 · 2023-03-29T19:39:35.000Z

The version of OpenSSL in this image comes from Debian -- the Debian maintainers are very proactive at applying security fixes to it (even though they don't typically apply the upstream version updates directly so the version number is still lower).

Answer 2 · 2023-03-31T05:35:45.000Z

Can we reinstall the openSSL on the docker image in DockerFile
with something like this

correct me if its wrong

FROM httpd:2.4.56
EXPOSE 8080 8443
RUN apt update
&& apt upgrade -y
&& apt install -y libcap2-bin procps wget make libtext-roman-perl
&& setcap 'cap_net_bind_service=+ep' /usr/local/apache2/bin/httpd
&& apt -y remove openssl
&& wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz
&& tar -xzvf openssl-1.1.1t.tar.gz
&& cd openssl-1.1.1t
&& ./config
&& make install
&& ln -sf /usr/local/ssl/bin/openssl 'which openssl'
COPY dist/ /usr/local/apache2/htdocs/
RUN chmod -R 777 /usr/local/apache2/

Answer 3 · 2023-04-01T00:18:31.000Z

We will not be installing openssl from source for the httpd image. We will continue to rely on Debian packages.

If there is a specific CVE that you want to know when the fix was backported, you can check here to see which versions have it. (Your security scanning solution should already be doing this and should not be warning you about CVEs that are already fixed; it is a false positive and should be reported to them as such)

Answer 4 · 2023-04-03T07:14:08.000Z

this requirement with respect to CVE-2023-0215
https://nvd.nist.gov/vuln/detail/CVE-2023-0215

Answer 5 · 2023-04-03T21:26:19.000Z

It has already been fixed in Debian packages: https://security-tracker.debian.org/tracker/CVE-2023-0215. So, version 1.1.1n-0+deb11u4 in Debian Bullseye includes the fix for that particular CVE and is the one installed in the image:

 $ docker run -it --rm httpd bash
Unable to find image 'httpd:latest' locally
latest: Pulling from library/httpd
f1f26f570256: Already exists
a6b093ae1967: Pull complete
6b400bbb27df: Pull complete
d9833ead928a: Pull complete
ace056404ed3: Pull complete
Digest: sha256:f3e9eb9acace5bbc13c924293d2247a65bb59b8f062bcd98cd87ee4e18f86733
Status: Downloaded newer image for httpd:latest
root@52a0b7580535:/usr/local/apache2# dpkg -l | grep openssl
ii  openssl                   1.1.1n-0+deb11u4               amd64        Secure Sockets Layer toolkit - cryptographic utility
root@52a0b7580535:/usr/local/apache2#