Rebuild 9.0/jre11/temurin-focal to pick up upstream updates and remediate CVE-2022-37434

[mrbusche]

We are building images based off library/tomcat:9.0.65-jdk11-openjdk which is built from eclipse-temurin:11-jre-focal. The tomcat image in Docker hub was built 2 months ago and the eclipse-temurin:11-jre-focal image was built 20 days ago.

CVE-2022-37434 for zlib has been labeled a critical CVE for 47 days.

shell
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
|      CVE       | SEVERITY | CVSS | PACKAGE  |         VERSION         |              STATUS              | PUBLISHED  |
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+
| CVE-2022-37434 | critical | 9.80 | zlib     | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 47 days    |
+----------------+----------+------+----------+-------------------------+----------------------------------+------------+

[tianon]

tomcat:9.0.65-jdk11-openjdk is not based on eclipse-temurin - it's a deprecated/removed tag based on openjdk (see #265)

I think what you're looking for instead is probably tomcat:9.0.65-jdk11-temurin-jammy, tomcat:9.0.65-jdk11-temurin-focal, or even tomcat:9.0.65-jdk11-temurin ?

[mrbusche]

tomcat:9.0.65-jdk11-openjdk is not based on eclipse-temurin - it's a deprecated/removed tag based on openjdk (see #265)

I think what you're looking for instead is probably tomcat:9.0.65-jdk11-temurin-jammy, tomcat:9.0.65-jdk11-temurin-focal, or even tomcat:9.0.65-jdk11-temurin ?

You're 100% correct, I missed that announcement.