Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

liberica-openjdk-alpine:21 contains high CVEs #205

Open
ms-semarchy opened this issue Feb 18, 2025 · 1 comment
Open

liberica-openjdk-alpine:21 contains high CVEs #205

ms-semarchy opened this issue Feb 18, 2025 · 1 comment

Comments

@ms-semarchy
Copy link

liberica-openjdk-alpine:21 image (and I assume other images) still contains high CVEs Alpine fixed recently (3.21.3) :

$ grype bellsoft/liberica-openjdk-alpine:21 --scope all-layers
 ✔ Vulnerability DB                [updated]  
 ✔ Pulled image                    
 ✔ Loaded image                                                                                                                                                                                               bellsoft/liberica-openjdk-alpine:21
 ✔ Parsed image                                                                                                                                                           sha256:02cd6b0a2edbe069d2755012a490de09a2806429b7b9a5cc804aa685884686ef
 ✔ Cataloged contents                                                                                                                                                            27df1be0dd4f9af8e708f3954fd1c985e96309a73e3f562afce9e0e927083a2c
   ├── ✔ Packages                        [17 packages]  
   ├── ✔ File digests                    [227 files]  
   ├── ✔ File metadata                   [227 locations]  
   └── ✔ Executables                     [113 executables]  
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]  
   ├── by severity: 0 critical, 4 high, 2 medium, 0 low, 0 negligible
   └── by status:   6 fixed, 0 not-fixed, 0 ignored 
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
libcrypto3  3.3.2-r4   3.3.3-r0  apk   CVE-2024-12797  High      
libcrypto3  3.3.2-r4   3.3.2-r5  apk   CVE-2024-13176  Medium    
libssl3     3.3.2-r4   3.3.3-r0  apk   CVE-2024-12797  High      
libssl3     3.3.2-r4   3.3.2-r5  apk   CVE-2024-13176  Medium    
musl        1.2.5-r8   1.2.5-r9  apk   CVE-2025-26519  High      
musl-utils  1.2.5-r8   1.2.5-r9  apk   CVE-2025-26519  High

More generally, is there a way we get more up-to-date images with Alpine upstream, or is this a desired behavior ?
@morgion
Copy link
Collaborator

morgion commented Feb 20, 2025

Thanks for pointing this out, new images based on Alpine 3.21.3 have been pushed to Dockerhub, Github and Azure registries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@morgion @ms-semarchy