New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Republish eclipse-temurin (ubuntu focal) images to incorporate openssl vulnerabilities fixes #16225
Comments
Since the are official images I believe the rebuilds should be taken care of automatically by Duckerhub |
Thanks. I'm not aware of the rebuild process on dockerhub but if it's automatic then it should be re-build by now. |
From our FAQ:
Debian and Ubuntu are both rebuilt periodically though (with an approximate cadence of at least once per month, give or take), which leads to our regular rebuild process for many images. Because of our periodic rebuilds, we don't often do forced rebuilds of a specific set of official-images since it is usually unnecessary and still very manual (on each architecture it requires calculating which images & their descendants and then removing the calculated images and related As far as updating the Similar issue: #16164
|
Thanks @yosifkit - that's great info for our team. Yes I agree with the approach in general but I guess the issue here is that because openssl is in the Ubuntu repositories but not included in their base image it wouldn't necessarily be part of a refresh of their base image so wouldn't get pushed out to everyone based on it unless Ubuntu chose to do an "empty refresh" to force through such a fix.
Presumably there is no particular cadence for their refreshes - it's just when they believe an update to the packages directly included in the base are required? Having said that, your assessment of the issues seem reasonable to me - we have openssl in our image as a prerequisite of I trust these explanations are sufficient for @kaleemullah. |
Debian is rebuilt by @tianon at least every 30 days whether or not there are any packages in the base images that changed. Ubuntu has a similar rebuild target of 3-4 weeks, but we don't have direct control since it is chosen by Ubuntu maintainers when those updates happen. They have been trending toward the 3-week target which is why I think it will come next week. When any image in Closing since there is no action at this time. You can watch for the Ubuntu update in PRs with the |
Problem
eclipse-temurin/11-focal image contains
openssl (1.1.1f-1ubuntu2.20)
package which has vulnerabilities:.
Potential Solution:
Ubuntu has already publised the fix:
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.21
So, most probably, eclipse-temurin (ubuntu focal) related images (https://github.com/docker-library/official-images/blob/master/library/eclipse-temurin) need to be republished to docker hub.
The text was updated successfully, but these errors were encountered: