Rebase Latest Exchange Container Images To Include OpenSSL v3.0.7 Update #650
Comments
|
Follow the availability of the ubi9/ubi9-minimal container at |
|
@johnwalicki OpenSSL is not included in the base minimal image by default it must be installed from the UBI repository as an added layer. https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/o/ Line 139 in aa725df |
|
Right..., my OH code searches found that build.sbt yesterday. The https://github.com/open-horizon/exchange-api/blob/master/build.sbt |
|
In the abundance of clarity, we should bump the exchange build number (which I think is an artifact of the build process?) so that we can tell users the minimum release ver to upgrade to. |
johnwalicki
changed the title
|
Posted CVEs have been downgraded from critical to high. https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3786 |
|
@bencourliss Here is the RHEL 9 errata for OpenSSL 3.0.7 |
|
Can you kick off a build to generate a refreshed Exchange container with this updated OpenSSL 3.0.7 errata? |
|
The updated packages have not hit the repository yet. The UBI repositories typically lag behind the RHEL ones. |
|
I have confirmed with RedHat that the |
|
Issue resolved, closing. |
|
Refreshed exchange container has been posted to DockerHub today. Thanks @bencourliss |
OpenSSL v3.x has a
criticalhigh security vulnerability that needs to patched. This version of OpenSSL is included in Red Hat's UBI 9. The patch to fix this vulnerability is to be released November 1, 2022. Once this patch is released to the UBI 9 repository, the Open Horizon team is to rebuild and release new Exchange container images to include the fix for this vulnerability.The text was updated successfully, but these errors were encountered: