[FOLIO-3611] Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17 (expat CVE-2022-43680) Created: 11/Oct/22 Updated: 09/Nov/22 Resolved: 09/Nov/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | David Crossley | Assignee: | David Crossley |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | DevOps Sprint 152 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| RCA Group: | Related dependency upgrade | ||||||||
| Description |
|
Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17.
The container upgrade automatically upgrades expat from 2.4.9-r0 to 2.5.0-r0 fixing a use-after free vulnerability in out-of-memory situations: The container upgrade automatically upgrades curl from 7.83.1-r3 to 7.83.1-r4 fixing HTTP proxy double-free and HSTS bypass via IDN and POST following PUT confusion: Scan results: The Dockerfile already contains "apk upgrade", no change to the Dockerfile is needed to get the fix, only a rebuild of the alpine-jre-openjdk container is needed. |
| Comments |
| Comment by David Crossley [ 08/Nov/22 ] |
|
Built on jenkins host and pushed as "alpine-jre-openjdk17:2.0.5" and "latest". The built "alpine-jre-openjdk11" does have the expected "expat" version, but not yet the expected "curl" version. So will build again soon. |
| Comment by Julian Ladisch [ 08/Nov/22 ] |
|
David Crossley: Sorry, I've incorrectly posted curl 7.86.0-r1 as the fixed version, but 7.86.0-r1 is the curl version for Alpine edge. We use Alpine 3.16 so curl 7.83.1-r4 is the fixed curl version, this has been published on 2022-10-26. I've corrected the issue description. |
| Comment by David Crossley [ 08/Nov/22 ] |
|
Ah yes, thanks, that is the version. Will deploy tomorrow. |
| Comment by David Crossley [ 09/Nov/22 ] |
|
Built on jenkins host and pushed as "alpine-jre-openjdk11:1.3.8" and "latest". |
| Comment by Julian Ladisch [ 09/Nov/22 ] |
|
Thank you! |