openssl: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 #1235
Comments
|
@andyshinn http://bugs.alpinelinux.org/issues/4921 looks like it's been updated there; can we get an updated |
|
@maxamillion |
|
@flavio it looks like there's been some good activity on those CVE bugs for |
|
@prologic looks like |
|
@tianon Yes of course; in a few days :) (hopefully this weekend). |
|
@prologic 🤘 thanks! |
|
@vaygr looks like sourcemage hasn't been updated yet (http://www.sourcemage.org/projects/grimoire/repository/changes/crypto/openssl?rev=master); am I looking in the right places for this kind of information? |
|
@juanluisbaptiste |
|
Done, PR: #1254 I'm sorry for the delay ! |
|
@Djelibeybi looks like Oracle's updated now also -- can we get some fresh images? 🙏 😄 |
|
I've asked our build team to trigger a rebuild. We will only update oraclelinux:latest, though. |
|
Question for @tianon and others: what makes you trigger one of these CVE rebuilds? The CVEs are moderate/low and usually we wouldn't rebuild unless they were High/Critical. I'm just trying to work out what level to set our automation at, because we wouldn't have considered a rebuild/republish for these CVEs. |
|
We have a very low threshold for what we consider important enough to
rebuild the base for because the officially recommended way you fix your
own images in light of a vulnerability is to update the base and rebuild
your image from a Dockerfile; if the base doesn't get updated, the
Dockerfile re-build will be cached (and if the package that needs to be
updated is included in the base image, it wouldn't get updated even if the
build wasn't cached).
We do try to use the CVSS / determined Docker-use-case impact to determine
how actively we should start harassing upstreams, but I try to be
reasonable and not harass you guys until your relevant distribution
actually does have updated packages available.
|
|
@tianon thanks for the notice, the better place is plain git web-interface here: http://scmweb.sourcemage.org/. We will generate new image shortly and create a new PR for it. |
|
@Djelibeybi will do, thanks! @vaygr ahhh nice, yeah that looks much better 👍 Thanks! 😄 |
|
I think it's probably about time we declared this one "as fixed as it's going to be", and I'm thus going to close this tracking issue. Thanks folks! For any maintainers still straggling here, you should definitely focus your efforts on #1448 ASAP and consider this openssl update to be a side benefit to fixing that one. 👍 |
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794
https://mta.openssl.org/pipermail/openssl-announce/2015-December/000050.html
https://mta.openssl.org/pipermail/openssl-announce/2015-December/000055.html
alpine: Bump Alpine for CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 #1255 --libssl1.0-1.0.2d-r0busybox: not affectedcentos(RHEL derivative): bump latest centos 7 images, add 7.2 #1275 --openssl-libs-1.0.1e-42.el7.9.x86_64crux:OpenSSL 1.0.2d-- update availabledebian: Update debian, especially for OpenSSL CVEs #1241 -- no SSL in the base image, but many descendantsfedora: update for openssl CVEs #1316 --openssl-libs-1.0.2d-3.fc23.x86_64mageia: Updated images for CVE-2015-319[3-5] and CVE-2015-1794 #1254 --lib64openssl1.0.0-1.0.2d-1.mga5opensuse: Update openSUSE images to fix security issues #1257 --openssl-1.0.1i-4.1.x86_64/libopenssl1_0_0-1.0.1i-4.1.x86_64oraclelinux: Updated Oracle Linux 7.2 image #1287 --openssl-libs-1.0.1e-42.el7_1.9.x86_64sourcemage:OpenSSL 0.9.8zd-- update availableubuntu: Update ubuntu (especially for CVE-2015-3193 and friends) #1251 --libssl1.0.0_1.0.1f-1ubuntu2.15The text was updated successfully, but these errors were encountered: