node:12.13/14-slim ships with unsupported OpenSSL? #1181
Comments
IdanAdar
changed the title
|
@SimenB In reading through the comments of your PR it seems that you're basically dropping OpenSSL completely from the base image, which means I guess that I should install it myself, but I tried this and it still installed that same old OpenSSL version, so how is this helping to resolve the issue? How do I then install the latest OpenSSL version? |
|
I don't know if it's been released for stretch? You could use buster, which is debian 10 instead of debian 9. This will solve it in that we will no longer ship an image with openssl installed. How to install a given version of |
|
Well, we're using node:12.13-slim, that one is using debian 9 no? Not much I can do about that... unless someone updates slim to use debian 10. |
|
We have buster images, |
|
So with |
|
You might need |
|
Removing the package causes any new images that are based off of these images to no longer have a default config, which implicitly reduces the SECLEVEL for all openssl usage on that image. It may be useful to notify consumers of this image that they should configure a reasonable I can't find any release notes for these images, but if they exist, an amended release note that if you use openssl, an |
See in https://www.openssl.org/policies/releasestrat.html
Version 1.1.1 will be supported until 2023-09-11 (LTS).
Version 1.1.0 will be supported until 2019-09-11.
In the latest node:12.13-slim,
openssl versionreturnsOpenSSL 1.1.0l 10 Sep 2019The text was updated successfully, but these errors were encountered: