3.17 - several packages out of date for armv7/armhf
Package Information
- Package name:
busybox
,busybox-binsh
,libcrypto3
,libssl3
,ssl_client
- Package version: see table
- Alpine version: 3.17
- Alpine architecture: armv7
Summary
Using trivy as an example against the docker image, I can see that several packages are reporting as having fixable vulnerabilities but the armv7 and armhf versions showing in the package info pages online are are showing that there are not any newer versions available - like the builds didn't happen. For example: ssl_client on pkgs.alpinelinux.org. I think last time I saw this, it was an issue with builders but I'm not sure what the right place is to look for builder status because this just says idle.
I re-build the alpine image with all of the latest packages for my own use so it's not an issue of the image being out of date, just to clarify that. Checking each of the packages below on pkgs.alpinelinux.org
, they all look like they're similar where the other architectures have had their packages updated.
mbentley/alpine:3.17-armv7 (alpine 3.17.7)
==========================================
Total: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 5, HIGH: 0, CRITICAL: 0)
┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ busybox │ CVE-2023-42366 │ MEDIUM │ fixed │ 1.35.0-r29 │ 1.35.0-r30 │ busybox: A heap-buffer-overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-42366 │
├───────────────┤ │ │ │ │ │ │
│ busybox-binsh │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├───────────────┼────────────────┤ │ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-4603 │ │ │ 3.0.12-r4 │ 3.0.13-r0 │ openssl: Excessive time spent checking DSA keys and │
│ │ │ │ │ │ │ parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4603 │
│ ├────────────────┼──────────┤ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ │ CVE-2024-2511 │ LOW │ │ │ 3.0.12-r5 │ openssl: Unbounded memory growth with session handling in │
│ │ │ │ │ │ │ TLSv1.3 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2511 │
├───────────────┼────────────────┼──────────┤ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-4603 │ MEDIUM │ │ │ 3.0.13-r0 │ openssl: Excessive time spent checking DSA keys and │
│ │ │ │ │ │ │ parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4603 │
│ ├────────────────┼──────────┤ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ │ CVE-2024-2511 │ LOW │ │ │ 3.0.12-r5 │ openssl: Unbounded memory growth with session handling in │
│ │ │ │ │ │ │ TLSv1.3 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2511 │
├───────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2023-42366 │ MEDIUM │ │ 1.35.0-r29 │ 1.35.0-r30 │ busybox: A heap-buffer-overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-42366 │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
Steps to reproduce
Look at the package info for the packages that are showing as having vulnerabilities.