Republish eclipse-temurin (ubuntu focal) images to incorporate openssl vulnerabilities fixes

[kaleemullah]

Problem

eclipse-temurin/11-focal image contains openssl (1.1.1f-1ubuntu2.20) package which has vulnerabilities:

.

Potential Solution:

Ubuntu has already publised the fix:
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.21

So, most probably, eclipse-temurin (ubuntu focal) related images (https://github.com/docker-library/official-images/blob/master/library/eclipse-temurin) need to be republished to docker hub.

[kaleemullah]

@gdams @sxa (maintainers) Can you please look into this issue? Thank you.

[sxa]

Since the are official images I believe the rebuilds should be taken care of automatically by Duckerhub

[kaleemullah]

Thanks. I'm not aware of the rebuild process on dockerhub but if it's automatic then it should be re-build by now.

[sxa]

The base Ubuntu image does not include the openssl package so it likely won't get regenerated for us as it hasn't technically had an update.

@tianon @yosifkit @gdams is there a way, other than a "null change" that we can force a rebuild of our image to pick up the latest openssl?

[yosifkit]

From our FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame.
[...]
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need [...] These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt

Debian and Ubuntu are both rebuilt periodically though (with an approximate cadence of at least once per month, give or take), which leads to our regular rebuild process for many images.

Because of our periodic rebuilds, we don't often do forced rebuilds of a specific set of official-images since it is usually unnecessary and still very manual (on each architecture it requires calculating which images & their descendants and then removing the calculated images and related docker build cache).

As far as updating the eclipse-temurin Dockerfiles to force a docker build cache bust just to update the openssl version, I'd say we are generally opposed to such a change. If the software defects are important enough that a rebuild is immediately warranted, then we'd rather that all affected images benefit from a rebuild too. So, we'd either encourage the base image to publish an update/rebuild or to do the manual work to clear build cache. In this case, the defects in the CVE report aren't that serious* so I'd suggest that we wait until the Ubuntu update likely coming in the next week.

Similar issue: #16164

---

• * why don't I think these are serious:
  • Both defects are related to processing untrusted input and marked "Low" by the OpenSSL project.
  • 2023-5678: "Severity: Low", "An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack"
  • 2024-0727: "Severity: Low", "Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly."

[sxa]

we'd rather that all affected images benefit from a rebuild too. So, we'd either encourage the base image to publish an update/rebuild

Thanks @yosifkit - that's great info for our team. Yes I agree with the approach in general but I guess the issue here is that because openssl is in the Ubuntu repositories but not included in their base image it wouldn't necessarily be part of a refresh of their base image so wouldn't get pushed out to everyone based on it unless Ubuntu chose to do an "empty refresh" to force through such a fix.

I'd suggest that we wait until the Ubuntu update likely coming in the next week.

Presumably there is no particular cadence for their refreshes - it's just when they believe an update to the packages directly included in the base are required?

Having said that, your assessment of the issues seem reasonable to me - we have openssl in our image as a prerequisite of ca-certificates and wgetwhich we install (it's not used directly by Temurin) and so it's unlikely it will be used in a problematic manner (unless a user based on our images are making use of it)

I trust these explanations are sufficient for @kaleemullah.

[yosifkit]

Presumably there is no particular cadence for their refreshes - it's just when they believe an update to the packages directly included in the base are required?

Debian is rebuilt by @tianon at least every 30 days whether or not there are any packages in the base images that changed. Ubuntu has a similar rebuild target of 3-4 weeks, but we don't have direct control since it is chosen by Ubuntu maintainers when those updates happen. They have been trending toward the 3-week target which is why I think it will come next week. When any image in official-images is changed, all dependent official images are rebuilt.

Closing since there is no action at this time. You can watch for the Ubuntu update in PRs with the library/ubuntu label.

[kaleemullah]

Thank you @yosifkit @sxa