Rebuild 9.0/jre11/temurin-focal to pick up upstream updates and remediate `CVE-2022-37434`

Question

Rebuild 9.0/jre11/temurin-focal to pick up upstream updates and remediate `CVE-2022-37434`

mrbusche opened this issue 2 years ago · 2 comments

We are building images based off library/tomcat:9.0.65-jdk11-openjdk which is built from eclipse-temurin:11-jre-focal. The tomcat image in Docker hub was built 2 months ago and the eclipse-temurin:11-jre-focal image was built 20 days ago.

CVE-2022-37434 for zlib has been labeled a critical CVE for 47 days.

shell
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
|      CVE       | SEVERITY | CVSS | PACKAGE  |         VERSION         |              STATUS              | PUBLISHED  |
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
| CVE-2022-37434 | critical | 9.80 | zlib     | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 47 days    |
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+

Answer 1 · 2022-09-22T23:27:16.000Z

tomcat:9.0.65-jdk11-openjdk is not based on eclipse-temurin - it's a deprecated/removed tag based on openjdk (see #265)

I think what you're looking for instead is probably tomcat:9.0.65-jdk11-temurin-jammy, tomcat:9.0.65-jdk11-temurin-focal, or even tomcat:9.0.65-jdk11-temurin ?

Answer 2 · 2022-09-23T00:26:17.000Z

tomcat:9.0.65-jdk11-openjdk is not based on eclipse-temurin - it's a deprecated/removed tag based on openjdk (see #265)

I think what you're looking for instead is probably tomcat:9.0.65-jdk11-temurin-jammy, tomcat:9.0.65-jdk11-temurin-focal, or even tomcat:9.0.65-jdk11-temurin ?

You're 100% correct, I missed that announcement.