CVE-2021-3711 (high severity)

[yuhusolutions]

$ docker run aquasec/trivy --severity HIGH,CRITICAL --ignore-unfixed azul/zulu-openjdk-alpine:11

Ref image: azul/zulu-openjdk-alpine:11
Installed version: 1.1.1k-r0
Fixed version: 1.1.1l-r0

Could you please consider bumping alpine from 3.13 to 3.14 ?
See https://github.com/zulu-openjdk/zulu-openjdk/blob/master/alpine/11.0.12-11.50.19/Dockerfile

This will also fix CVE-2021-36159

Thank you.

[irizzant]

Same for debian images:

Total: 1 (HIGH: 1, CRITICAL: 0)

+-----------+------------------+----------+-------------------+------------------+--------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                TITLE                 |
+-----------+------------------+----------+-------------------+------------------+--------------------------------------+
| libssl1.1 | CVE-2021-3711    | HIGH     | 1.1.1d-0+deb10u6  | 1.1.1d-0+deb10u7 | openssl: SM2 Decryption              |
|           |                  |          |                   |                  | Buffer Overflow                      |
|           |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3711 |
+-----------+------------------+----------+-------------------+------------------+--------------------------------------+

[raphaelcolomine-onespan]

Same for trivy image azul/zulu-openjdk-alpine:11-jre and azul/zulu-openjdk-alpine:8
could we update to alpine:3.14

[irizzant]

@ironstas1k can you please check?

[ironstas1k]

Hi folks, thanks for the feedback.

We successfully bumped alpine to 3.14, debian to bullseye and ubuntu to focal for July release. Besides that now we have continuous process which will rebuild last 3 releases weekly and catch all security updates.
Feel free to use it!