Alpine Linux: CVE-2022-2097
captn3m0 opened this issue · comments
Nemo commented
Latest Traefik image needs an update, since it contains libcrypto1.1 1.1.1n-r0
, which is vulnerable as per CVE-2022-2097.
Alpine 3.15 already has a fix for this, this just needs a new release with an apk upgrade.
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌──────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ HIGH │ 1.1.1n-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
└──────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
Ludovic Fernandez commented
Hello,
the official image is managed by Docker, when a CVE happens on alpine they rebuild the images.
And I think it's already in progress https://doi-janky.infosiftr.net/job/multiarch/view/images/view/traefik/