-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rebase Latest Exchange Container Images To Include OpenSSL v3.0.7 Update #650
Comments
Follow the availability of the ubi9/ubi9-minimal container at |
@johnwalicki OpenSSL is not included in the base minimal image by default it must be installed from the UBI repository as an added layer. https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/o/ Line 139 in aa725df
|
Right..., my OH code searches found that build.sbt yesterday. The https://github.com/open-horizon/exchange-api/blob/master/build.sbt |
In the abundance of clarity, we should bump the exchange build number (which I think is an artifact of the build process?) so that we can tell users the minimum release ver to upgrade to. |
Posted CVEs have been downgraded from critical to high. https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3786 |
@bencourliss Here is the RHEL 9 errata for OpenSSL 3.0.7 |
Can you kick off a build to generate a refreshed Exchange container with this updated OpenSSL 3.0.7 errata? |
The updated packages have not hit the repository yet. The UBI repositories typically lag behind the RHEL ones. |
I have confirmed with RedHat that the |
Issue resolved, closing. |
Refreshed exchange container has been posted to DockerHub today. Thanks @bencourliss |
OpenSSL v3.x has a
criticalhigh security vulnerability that needs to patched. This version of OpenSSL is included in Red Hat's UBI 9. The patch to fix this vulnerability is to be released November 1, 2022. Once this patch is released to the UBI 9 repository, the Open Horizon team is to rebuild and release new Exchange container images to include the fix for this vulnerability.The text was updated successfully, but these errors were encountered: