Rebuild 9.0/jre11/temurin-focal to pick up upstream updates and remediate `CVE-2022-37434`
mrbusche opened this issue · 2 comments
We are building images based off library/tomcat:9.0.65-jdk11-openjdk which is built from eclipse-temurin:11-jre-focal. The tomcat image in Docker hub was built 2 months ago and the eclipse-temurin:11-jre-focal
image was built 20 days ago.
CVE-2022-37434
for zlib has been labeled a critical CVE for 47 days.
shell
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED |
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
| CVE-2022-37434 | critical | 9.80 | zlib | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 47 days |
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
tomcat:9.0.65-jdk11-openjdk
is not based on eclipse-temurin
- it's a deprecated/removed tag based on openjdk
(see #265)
I think what you're looking for instead is probably tomcat:9.0.65-jdk11-temurin-jammy
, tomcat:9.0.65-jdk11-temurin-focal
, or even tomcat:9.0.65-jdk11-temurin
?
tomcat:9.0.65-jdk11-openjdk
is not based oneclipse-temurin
- it's a deprecated/removed tag based onopenjdk
(see #265)I think what you're looking for instead is probably
tomcat:9.0.65-jdk11-temurin-jammy
,tomcat:9.0.65-jdk11-temurin-focal
, or eventomcat:9.0.65-jdk11-temurin
?
You're 100% correct, I missed that announcement.