<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:24 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3611] Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17 (expat CVE-2022-43680)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3611</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17.&lt;br/&gt;
&#160;&lt;br/&gt;
These are the base Docker containers to support Java-based back-end FOLIO modules.&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://github.com/folio-org/folio-tools/tree/master/folio-java-docker/openjdk11&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-tools/tree/master/folio-java-docker/openjdk11&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://github.com/folio-org/folio-tools/tree/master/folio-java-docker/openjdk17&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-tools/tree/master/folio-java-docker/openjdk17&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The container upgrade automatically upgrades expat from 2.4.9-r0 to 2.5.0-r0 fixing a use-after free vulnerability in out-of-memory situations:&lt;br/&gt;
&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-43680&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-43680&lt;/a&gt;&lt;br/&gt;
Note that JRE uses expat and Java code might actually be affected.&lt;/p&gt;

&lt;p&gt;The container upgrade automatically upgrades curl from 7.83.1-r3 to 7.83.1-r4 fixing HTTP proxy double-free and HSTS bypass via IDN and POST following PUT confusion:&lt;br/&gt;
&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-42915&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-42915&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-42916&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-42916&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-32221&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-32221&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://git.alpinelinux.org/aports/tree/main/curl/APKBUILD?h=3.16-stable&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://git.alpinelinux.org/aports/tree/main/curl/APKBUILD?h=3.16-stable&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Scan results:&lt;br/&gt;
&lt;a href=&quot;https://trivy.dev/results/?image=folioci/alpine-jre-openjdk11:1.3.7&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://trivy.dev/results/?image=folioci/alpine-jre-openjdk11:1.3.7&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://trivy.dev/results/?image=folioci/alpine-jre-openjdk17:2.0.4&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://trivy.dev/results/?image=folioci/alpine-jre-openjdk17:2.0.4&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The Dockerfile already contains &quot;apk upgrade&quot;, no change to the Dockerfile is needed to get the fix, only a rebuild of the alpine-jre-openjdk container is needed.&lt;/p&gt;</description>
                <environment></environment>
        <key id="82357">FOLIO-3611</key>
            <summary>Rebuild folioci/alpine-jre-openjdk11 and folioci/alpine-jre-openjdk17 (expat CVE-2022-43680)</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="61cd0ca0bce5e00069e98be7">David Crossley</assignee>
                                                                <reporter accountid="61cd0ca0bce5e00069e98be7">David Crossley</reporter>
                                    <labels>
                            <label>security</label>
                    </labels>
                <created>Tue, 11 Oct 2022 06:09:03 +0000</created>
                <updated>Wed, 9 Nov 2022 09:49:14 +0000</updated>
                            <resolved>Wed, 9 Nov 2022 03:30:47 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="198247" author="61cd0ca0bce5e00069e98be7" created="Tue, 8 Nov 2022 06:00:05 +0000"  >&lt;p&gt;Built on jenkins host and pushed as &quot;alpine-jre-openjdk17:2.0.5&quot; and &quot;latest&quot;.&lt;br/&gt;
Verified that this does have the expected &quot;expat&quot; version.&lt;/p&gt;

&lt;p&gt;The built &quot;alpine-jre-openjdk11&quot; does have the expected &quot;expat&quot; version, but not yet the expected &quot;curl&quot; version. So will build again soon.&lt;/p&gt;</comment>
                                                            <comment id="198249" author="5ee89462f7aa140abd82d11d" created="Tue, 8 Nov 2022 09:19:47 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=61cd0ca0bce5e00069e98be7&quot; class=&quot;user-hover&quot; rel=&quot;61cd0ca0bce5e00069e98be7&quot; data-account-id=&quot;61cd0ca0bce5e00069e98be7&quot; accountid=&quot;61cd0ca0bce5e00069e98be7&quot; rel=&quot;noreferrer&quot;&gt;David Crossley&lt;/a&gt;: Sorry, I&apos;ve incorrectly posted curl 7.86.0-r1 as the fixed version, but 7.86.0-r1 is the curl version for Alpine edge. We use Alpine 3.16 so curl 7.83.1-r4 is the fixed curl version, this has been published on 2022-10-26. I&apos;ve corrected the issue description.&lt;/p&gt;</comment>
                                                            <comment id="198250" author="61cd0ca0bce5e00069e98be7" created="Tue, 8 Nov 2022 11:06:37 +0000"  >&lt;p&gt;Ah yes, thanks, that is the version. Will deploy tomorrow.&lt;/p&gt;</comment>
                                                            <comment id="198252" author="61cd0ca0bce5e00069e98be7" created="Wed, 9 Nov 2022 03:30:32 +0000"  >&lt;p&gt;Built on jenkins host and pushed as &quot;alpine-jre-openjdk11:1.3.8&quot; and &quot;latest&quot;.&lt;br/&gt;
Verified that this does have the expected &quot;expat&quot; version and &quot;curl&quot; version.&lt;/p&gt;</comment>
                                                            <comment id="198253" author="5ee89462f7aa140abd82d11d" created="Wed, 9 Nov 2022 09:49:14 +0000"  >&lt;p&gt;Thank you!&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="82339">FOLIO-3635</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10385"><![CDATA[Related dependency upgrade]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05ker:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="2011">DevOps Sprint 152</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 8 Nov 2022 09:19:47 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>