-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical CVE in distroless/java17 update to openjdk 17.0.3 #1022
Comments
Would be great if the other Java images are also updated quickly (e.g. Java 8 and 11) |
These images follow debian bullseye. If they release an update, we will pick it up. Distroless Java 8 is longer supported and has not been updated in a long time. |
@maximilianro As per my amateur tests the java11 image is not vulnerable (but I need java17 because of language features used in the codebase). |
Tracking of the CVE at Debian: https://security-tracker.debian.org/tracker/CVE-2022-21449 |
I'm wondering whether this image can use temurin 17.0.3 release from https://github.com/adoptium/temurin17-binaries/releases instead of waiting for Debian - if other flavors use that approach (e.g. when debian does not have the corresponding versions) |
Yeah sure, if someone proposed a PR for this, we could start from there.
after looking into the temurin/adoptium release docs, I think we should only pick up *-ga releases. |
Adoptium has not releases an actual -ga version of these images yet: adoptium/adoptium#140 |
@loosebazooka seems like the Termiten GA Release is there |
What do you mean with Seems like related to #961 ? Let me know if you prefer to discuss using temurin binaries directly instead of openjdk package in a separate issue. Thanks! BTW I had to do that due to the debian delay... |
So, reading through the docs, it looks like the +N builds are just weekly builds, leading up to the final release? But maybe I'm misunderstanding that sutff: https://github.com/adoptium/temurin-build/blob/master/RELEASING.md |
@loosebazooka i think you are right, the Readme says there is a -ga tag when ist Released |
@loosebazooka @floriankoch That
Also no github binary releases are marked as |
I agree with @chulkilee; Comparing the 17.0.2+8 and 17.0.3+8 tags at least I get the impression these are official releases?
https://github.com/adoptium/temurin17-binaries/releases/tag/jdk-17.0.2%2B8
Would switching to using temurin binaries be feasible in the scope of this issue? |
@georgespalding debian has the new openjdk in unstable |
Not sure if it helps, but I have a Dockerfile based on debian:11-slim, I did build it today and when I apt-get install openjdk-17-jdk-headless, it pulled this package: |
okay great this should be picked up soon, lemme trigger an unscheduled updated. |
@loosebazooka can you trigger a rebuild? |
Some news here? The package is in the snapshot repo Is relying on snapshots a good way to geht fast Security Updates? |
the latest release is done with this fix. |
Java 17.0.2 has a severe flaw in signature verification for elliptic curve signatures.
17.0.3 was released to the public on April 19, 2022:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449
See also https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
The text was updated successfully, but these errors were encountered: