docker-library/tomcat

Please update JAVA_VERSION to 17.0.3 due to HIGH SECURITY RISK

alfonx opened this issue · 3 comments

alfonx commented

Due to hight SECURITY RISK CVE-2022-21449 in Java 17.0.2, please update all jre17 tags to use

ENV JAVA_VERSION=17.0.3

e.g. in
tomcat:10-jdk17-openjdk-buster

https://nvd.nist.gov/vuln/detail/CVE-2022-21449
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

yosifkit commented

Any of the tomcat images based on openjdk:17* will be going away since they aren't really supported by the openjdk project and so don't have any updated builds available (see docker-library/openjdk#495 and docker-library/docs#2142).

The tomcat images based on other openjdk variants will be rebuilt as soon as their base image is. e.g. the amazoncorretto-based images were all rebuilt after docker-library/official-images#12261 was merged.

jerboaa commented

Any of the tomcat images based on openjdk:17* will be going away since they aren't really supported by the openjdk project and so don't have any updated builds available (see docker-library/openjdk#495 and docker-library/docs#2142).

@yosifkit @tianon As one of the maintainers of OpenJDK 17u upstream, could we please kindly ask you to not claim that OpenJDK 17 is not supported? It very much is upstream, but the OpenJDK project is a source-only project. Therefore, somebody will have to step up and produce builds from those supported sources (whoever that is and has access to TCK material). Claiming that OpenJDK 17 is not supported anymore is just plain wrong. See the wiki page: https://wiki.openjdk.java.net/display/JDKUpdates/JDK+17u which lists maintainers, timelines and future scheduled updates. Including links to binaries. Thanks for you time!

tianon commented

I'm sorry that our wording has come across poorly -- the openjdk:17 images are now-unsupported because we no longer have a reliable source of builds (as you've described). Our intention is definitely not to claim that OpenJDK 17 itself is unsupported (just that there are no officially-supported binaries available, thus no more supported images). 🙈 🙇 ❤️

Frankly, I do not see a strong future in the openjdk images unless we can get a more reliable source of vanilla builds for newer versions like 17 than what Oracle is providing. 😞

Is the wording we added to https://hub.docker.com/_/openjdk in docker-library/docs#2142 less ambiguous? I tried to write it carefully to accurately convey the (frankly somewhat complex!) situation, but would be very happy to adjust it if there's a way we can describe this more clearly.

(In this specific case, we do have jdk17-based Tomcat images on both Temurin and Corretto available.)