-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New medium priority openssl vulnerability: CVE-2022-2097 #261
Comments
Is there any update on this issue? |
@MarekKosinski updating affected packages in Dockerfile may help
|
FWIW, there is a new "edge" tag ( |
@erikgb actually switching from https to http repositories helps somehow
|
@kyberorg But doesn't that change make you vulnerable for MITM attacks, at least theoretically? Thanks for the info anyway! |
FWIW, this might have been "medium" at some point but is now being reported as "high". |
This does work but it is using the edge repository:
|
Hi @MarekKosinski, Your suggestion fix my issue. Thanks. |
The OS patch just dropped; the new image should be imminent |
yes, the image should provide this latest version.. |
3.16.1 is available on DockerHub |
@keithmattix still seeing the same issue in 3.16.1.
|
@sshuklao I can confirm. Trivy gives same results. |
@sshuklao That's a separate vuln. Compare the 3.16.0 snyk report with the 3.16.1 snyk report |
@sshuklao @keithmattix The one about awk, CVE-2022-30065, has an open issue here: #264 But it is still true that the 3.16.1 release notes are claiming to fix that vulnerability, and it doesn't seem to be fixed. |
Ah, yep; I didn't check the CVE link. Looks like 3.16.1 is still affected |
There is a new vulnerability being reported by azure/container-scan and trivy on our builds: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097
Also flagged by Snyk at: https://snyk.io/test/docker/alpine:3.16.0
I cannot find any workarounds. Looks like the alpine package for openssl needs to be updated with fixed version of openssl first.
The text was updated successfully, but these errors were encountered: