Bump Alpine version to 3.19.1 #3524
Conversation
…c004f70149baeba2c8ec672bd4f27761f8e1ad6b)
|
💚 CLA has been signed |
github-actions
bot
added
agent-java
community
|
👋 @kadirtaskiran Thanks a lot for your contribution! It may take some time before we review a PR, so even if you don’t see activity for some time, it does not mean that we have forgotten about it. Every once in a while we go through a process of prioritization, after which we are focussing on the tasks that were planned for the upcoming milestone. The prioritization status is typically reflected through the PR labels. It could be pending triage, a candidate for a future milestone, or have a target milestone set to it. |
|
Thanks @kadirtaskiran , please add the CHANGELOG entry identifying the alpine upgrade |
Thank you for clarification. Updated now. 👍 |
kadirtaskiran
dismissed stale reviews from SylvainJuge and jackshirazi
via
92fe561
|
@elasticmachine run elasticsearch-ci/docs |
|
run elasticsearch-ci/docs |
|
run docs-build |
|
run docs-build |
Bump Alpine version to 3.19.1 (alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b)
What does this PR do?
Updates used base alpine docker image version to 3.19.1. Alpine:3.18.2 has several vulnerabilities so we need to update it.
`trivy image alpine@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1
2024-02-12T17:36:41.726+0300 INFO Vulnerability scanning is enabled
2024-02-12T17:36:41.726+0300 INFO Secret scanning is enabled
2024-02-12T17:36:41.726+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-12T17:36:41.726+0300 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-12T17:36:43.889+0300 INFO Detected OS: alpine
2024-02-12T17:36:43.889+0300 INFO Detecting Alpine vulnerabilities...
2024-02-12T17:36:43.896+0300 INFO Number of language-specific files: 0
alpine@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 (alpine 3.18.2)
Total: 19 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 2, CRITICAL: 3)
┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-48174 │ CRITICAL │ fixed │ 1.36.1-r0 │ 1.36.1-r1 │ stack overflow vulnerability in ash.c leads to arbitrary │
│ │ │ │ │ │ │ code execution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48174 │
├───────────────┤ │ │ │ │ │ │
│ busybox-binsh │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├───────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH │ │ 3.1.1-r1 │ 3.1.4-r0 │ openssl: Incorrect cipher key and IV length processing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5363 │
│ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-2975 │ MEDIUM │ │ │ 3.1.1-r2 │ openssl: AES-SIV cipher implementation contains a bug that │
│ │ │ │ │ │ │ causes it to ignore... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ 3.1.1-r3 │ openssl: Excessive time spent checking DH keys and │
│ │ │ │ │ │ │ parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ 3.1.2-r0 │ OpenSSL: Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5678 │ │ │ │ 3.1.4-r1 │ openssl: Generating excessively long X9.42 DH keys or │
│ │ │ │ │ │ │ checking excessively long X9.42... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-6129 │ │ │ │ 3.1.4-r3 │ openssl: POLY1305 MAC implementation corrupts vector │
│ │ │ │ │ │ │ registers on PowerPC │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6129 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-6237 │ │ │ │ 3.1.4-r4 │ openssl: Excessive time spent checking invalid RSA public │
│ │ │ │ │ │ │ keys │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6237 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-0727 │ │ │ │ 3.1.4-r5 │ openssl: denial of service via null dereference │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0727 │
├───────────────┼────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2023-5363 │ HIGH │ │ │ 3.1.4-r0 │ openssl: Incorrect cipher key and IV length processing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5363 │
│ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-2975 │ MEDIUM │ │ │ 3.1.1-r2 │ openssl: AES-SIV cipher implementation contains a bug that │
│ │ │ │ │ │ │ causes it to ignore... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ 3.1.1-r3 │ openssl: Excessive time spent checking DH keys and │
│ │ │ │ │ │ │ parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ 3.1.2-r0 │ OpenSSL: Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-5678 │ │ │ │ 3.1.4-r1 │ openssl: Generating excessively long X9.42 DH keys or │
│ │ │ │ │ │ │ checking excessively long X9.42... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-6129 │ │ │ │ 3.1.4-r3 │ openssl: POLY1305 MAC implementation corrupts vector │
│ │ │ │ │ │ │ registers on PowerPC │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6129 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-6237 │ │ │ │ 3.1.4-r4 │ openssl: Excessive time spent checking invalid RSA public │
│ │ │ │ │ │ │ keys │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6237 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-0727 │ │ │ │ 3.1.4-r5 │ openssl: denial of service via null dereference │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0727 │
├───────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2022-48174 │ CRITICAL │ │ 1.36.1-r0 │ 1.36.1-r1 │ stack overflow vulnerability in ash.c leads to arbitrary │
│ │ │ │ │ │ │ code execution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48174 │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
`
Checklist