CVE-2024-5535 vulnerability

[hishamanver]

Getting the following issue when using alpine 3.20.1:

libssl3 3.3.1-r0 has vulnerability CVE-2024-5535 which is fixed in 3.3.1-r1 libcrypto3 3.3.1-r0 has vulnerability CVE-2024-5535 which is fixed in 3.3.1-r1

[DoryZi]

Has this been solved? I also get libssl ..

[fossdd]

yes, has been fixed: https://security.alpinelinux.org/vuln/CVE-2024-5535

[gnowland]

It has been fixed but an alpine patch (e.g. alpine3.20.2) has not yet been released? https://snyk.io/test/docker/alpine%3A3.20

[fossdd]

if the website i linked shows that the package is fixed for the supported Alpine releases, then Alpine has a patch/fix included.

[tianon]

Look like we need a rebuild/re-release across all supported versions: (cc @ncopa) :heart:

$ bashbrew list --uniq alpine | xargs -rtI'{}' docker run --rm --pull=always '{}' apk --quiet --no-cache list --upgradeable
docker run --rm '--pull=always' alpine:20240606 apk --quiet --no-cache list --upgradeable
20240606: Pulling from library/alpine
Digest: sha256:166710df254975d4a6c4c407c315951c22753dcaa829e020a3fd5d18fff70dd2
Status: Image is up to date for alpine:20240606
apk-tools
busybox
busybox-binsh
ca-certificates-bundle
libcrypto3
libssl3
ssl_client
docker run --rm '--pull=always' alpine:3.20.1 apk --quiet --no-cache list --upgradeable
3.20.1: Pulling from library/alpine
Digest: sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
Status: Image is up to date for alpine:3.20.1
ca-certificates-bundle
libcrypto3
libssl3
docker run --rm '--pull=always' alpine:3.19.2 apk --quiet --no-cache list --upgradeable
3.19.2: Pulling from library/alpine
Digest: sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5
Status: Image is up to date for alpine:3.19.2
libcrypto3
libssl3
docker run --rm '--pull=always' alpine:3.18.7 apk --quiet --no-cache list --upgradeable
3.18.7: Pulling from library/alpine
Digest: sha256:1875c923b73448b558132e7d4a44b815d078779ed7a73f76209c6372de95ea8d
Status: Image is up to date for alpine:3.18.7
libcrypto3
libssl3
docker run --rm '--pull=always' alpine:3.17.8 apk --quiet --no-cache list --upgradeable
3.17.8: Pulling from library/alpine
Digest: sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc
Status: Image is up to date for alpine:3.17.8
libcrypto3
libssl3

[gnowland]

Thanks for confirming @tianon! Just because something is said to be true doesn't necessarily make it so :)

I look forward to the patch being released as this is holding up quite a few of my build pipelines 😎

[astrolemonade]

I am looking forward to seeing this patched. Alpine clearly has the packages to fix this vulnerability by running apk update && apk upgrade but they don't seem to be reflected in the docker image.

[bpowers1215]

Are there any updates that can be provided on when the community can expect new builds available to resolve the critical vulnerability with openssl?

https://hub.docker.com/layers/library/alpine/3.19/images/sha256-b836e8a5a3ad3a108cdcdad7087a63089b2dd2e2f30bd9121edd8dbc06a3124d?context=explore

[sxa]

@tianon We haven't had a response from the Alpine maintainers on this so far. Is there a way you could trigger a rebuild of Alpine's images so others dependent on it (such as eclipse-temurin) get the update? I'm guessing that a rebuild would be enough to pick up the later packages from the repository without any additional updates.

[tianon]

If we were responsible for building the rootfs, yes, that would work, but we are not, so that would unfortunately not make a difference for these packages contained in the base image rootfs tarballs.

[fossdd]

As a workaround, you're free to run apk upgrade -Ua to install the latest package versions, which should solve those vulnerabilities.

[ncopa]

please note that this is a low severity issue according upstream. They did not even bother create new upstream release for it.