Security vulnerabilities
The openjdk8-jre-alpine Docker image uses Alpine 3.5: https://github.com/folio-org/folio-tools/blob/76aa61f/folio-java-docker/openjdk8/Dockerfile.openjdk8-jre-alpine
Alpine 3.5 is out of support since 2018-11-01, no security updates:
https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases
Alpine 3.5 uses linux-vanilla 4.4.59-r1 that has more than 150 known security vulnerabilities: https://www.cvedetails.com/version/221677/Linux-Linux-Kernel-4.4.59.html
Alpine 3.5 uses openjdk8 8.191 that has more than 25 security vulnerabilities: https://pkgs.alpinelinux.org/packages?name=openjdk8&branch=v3.5 https://openjdk.java.net/groups/vulnerability/advisories/2019-10-15 https://openjdk.java.net/groups/vulnerability/advisories/2019-07-16 https://openjdk.java.net/groups/vulnerability/advisories/2019-04-16
Alpine 3.5 uses curl 7.61.1 that has 10 known security vulnerabilities: https://curl.haxx.se/docs/vuln-7.61.1.html
Alpine 3.5 uses busybox 1.25.1. that has 2 known security vulnerabilities: https://www.cvedetails.com/version/257068/Busybox-Busybox-1.25.1.html
Solution
It was decided (see
FOLIO-1722
Closed
) that openjdk8-jre-alpine Docker image has reached end of life and all modules should switch to alpine-jre-openjdk8 Docker image that does not have known vulnerabilities: https://github.com/folio-org/folio-tools/blob/6118b46/folio-java-docker/openjdk8/Dockerfile.alpine-jre-openjdk8
Open tasks
A) Add End of Life notices and upgrade notes to
B) After all modules have switched to alpine-jre-openjdk8 and FOLIO Edelweiss has been released remove openjdk8-jre-alpine from
|