Fix of CVE-2025-9230 in Docker Image 1.71.1

[marcfischer]

Hi there,

one of my customers is using the rclone docker image and can currently not import the container image in his environment due to security CVE scans. We tried it with the container Image 1.71.1 from Dockerhub (clone/rclone:1.71.1) and sysdig finds this critical Security issue:

--> CVE-2025-9230 (VulnDB Score 9.8):

Affected Packages and Versions

• libssl3 3.5.1-r0 (-> fixed in 3.5.4-r0)
• libcrypto3 3.5.1-r0 (-> fixed in 3.5.4-r0)

Would it be possible to update these packages in the next version?

[roucc]

Rclone docker image runs alpine:latest where these libraries are used. In the latest version this is fixed and so in the next release of rclone this will be automatically fixed. Do you think it would be useful to make a point release?

[marcfischer]

Hi @roucc,

I think this would be nice. But also it is currently not needed as there is also access to secure image. But I think it still could be nice for the thousands of other users.

[roucc]

The newest point release 1.71.2 now fixes this!

[ncw]

Demonstration of the fix

$ docker run -it --rm rclone/rclone version
rclone v1.71.2
- os/version: alpine 3.22.2 (64 bit)
- os/kernel: 6.8.0-85-generic (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.25.3
- go/linking: static
- go/tags: none

$ docker run -it --rm --entrypoint /sbin/apk rclone/rclone list | grep -E 'lib(crypto|ssl)'
libcrypto3-3.5.4-r0 x86_64 {openssl} (Apache-2.0) [installed]
libssl3-3.5.4-r0 x86_64 {openssl} (Apache-2.0) [installed]