Docker-nginx: please release an Alpine image with libssl 1.1.1g as per CVE-2020-1967

Created on 22 Apr 2020  路  4Comments  路  Source: nginxinc/docker-nginx

https://www.openssl.org/news/secadv/20200421.txt:

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This
issue did not affect OpenSSL versions prior to 1.1.1d.
Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g

Available since yesterday: https://pkgs.alpinelinux.org/packages?name=libssl1.1&branch=v3.11.

Most helpful comment

Fixed by the great docker library maintainers, nginx:alpine variants now ship with libssl1.1 of 1.1.1g-r0 afaict.

All 4 comments

Yes please! Also not just Alpine but the mainline image, which the nginx-proxy project uses, as the mainline image it inherits seems to be on the vulnerable OpenSSL 1.1.1d too.

nginx doesnt use the function that had the problem in openssl, so I don't really see the point.

In any case, it's up for alpine project to provide an updated base image and nginx image would then be rebuilt on docker hub side.

Thanks @thresheek, that makes perfect sense. I didn't realise Nginx didn't make use of the offending function.

Fixed by the great docker library maintainers, nginx:alpine variants now ship with libssl1.1 of 1.1.1g-r0 afaict.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

M-SIGMA picture M-SIGMA  路  3Comments

nightlyone picture nightlyone  路  4Comments

keshavpareek picture keshavpareek  路  5Comments

sandersaares picture sandersaares  路  6Comments

rokf picture rokf  路  5Comments