Critical CVE in distroless/java17 update to openjdk 17.0.3 #1022
Comments
georgespalding
changed the title
georgespalding
changed the title
|
Would be great if the other Java images are also updated quickly (e.g. Java 8 and 11) |
|
These images follow debian bullseye. If they release an update, we will pick it up. Distroless Java 8 is longer supported and has not been updated in a long time. |
|
@maximilianro As per my amateur tests the java11 image is not vulnerable (but I need java17 because of language features used in the codebase). |
|
Tracking of the CVE at Debian: https://security-tracker.debian.org/tracker/CVE-2022-21449 |
|
I'm wondering whether this image can use temurin 17.0.3 release from https://github.com/adoptium/temurin17-binaries/releases instead of waiting for Debian - if other flavors use that approach (e.g. when debian does not have the corresponding versions) |
|
Yeah sure, if someone proposed a PR for this, we could start from there.
after looking into the temurin/adoptium release docs, I think we should only pick up *-ga releases. |
Adoptium has not releases an actual -ga version of these images yet: adoptium/adoptium#140 |
|
@loosebazooka seems like the Termiten GA Release is there |
|
What do you mean with Seems like related to #961 ? Let me know if you prefer to discuss using temurin binaries directly instead of openjdk package in a separate issue. Thanks! BTW I had to do that due to the debian delay... |
|
So, reading through the docs, it looks like the +N builds are just weekly builds, leading up to the final release? But maybe I'm misunderstanding that sutff: https://github.com/adoptium/temurin-build/blob/master/RELEASING.md |
|
@loosebazooka i think you are right, the Readme says there is a -ga tag when ist Released |
|
@loosebazooka @floriankoch That
Also no github binary releases are marked as |
|
I agree with @chulkilee; Comparing the 17.0.2+8 and 17.0.3+8 tags at least I get the impression these are official releases?
https://github.com/adoptium/temurin17-binaries/releases/tag/jdk-17.0.2%2B8
Would switching to using temurin binaries be feasible in the scope of this issue? |
|
@georgespalding debian has the new openjdk in unstable |
|
Not sure if it helps, but I have a Dockerfile based on debian:11-slim, I did build it today and when I apt-get install openjdk-17-jdk-headless, it pulled this package: |
|
okay great this should be picked up soon, lemme trigger an unscheduled updated. |
|
@loosebazooka can you trigger a rebuild? |
|
Some news here? The package is in the snapshot repo Is relying on snapshots a good way to geht fast Security Updates? |
|
the latest release is done with this fix. |
Java 17.0.2 has a severe flaw in signature verification for elliptic curve signatures.
17.0.3 was released to the public on April 19, 2022:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449
See also https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
The text was updated successfully, but these errors were encountered: