CVE-2020-28928

[KiperUladzislau]

How soon new image with new version of musl lib will be to get rid of CVE-2020-28928?
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12123

[bharathappali]

The musl version in the alpine latest docker images is 1.1.24

musl libc (x86_64)
Version 1.1.24
Dynamic Program Loader
Usage: /lib/ld-musl-x86_64.so.1 [options] [--] pathname [args]

The issue link provided states that fix is added from 1.2.2.

How soon new image with new version of musl lib

I'm expecting as soon as the alpine docker images gets updated with the preferred musl libc version which solves the issue.

Another possible solution for a quick fix is to build musl with the patch mentioned and replace the existing musl libc in the image. Which I feel not a better resolution for the problem.

I would like to invite @dinogun to provide more info on this

[stepan-prokipchyn-vitech]

Hey, what is the status of this ticket? Looks like the musl is still not updated

[karianna]

We released alpine 3.14 images which I believe have the fix.

[stepan-prokipchyn-vitech]

Thank you @karianna for quick response. Sorry, I'm not familiar with release cadence. When do you think this could be available in adoptopenjdk/openjdk11:alpine-slim image?

[stepan-prokipchyn-vitech]

OK, it is already there and musl is upgraded:

$ docker run --entrypoint="" --rm -it <image_id>/lib/libc.musl-x86_64.so.1
musl libc (x86_64)
Version 1.2.2
Dynamic Program Loader
Usage: /lib/libc.musl-x86_64.so.1 [options] [--] pathname [args]

However it seems like some vulnerability scanners think that v1.2.2 still suffer from CVE-2020-28928. AWS ECR scanner is one of them.

On the other hand official musl website says that CVE-2020-28928 is fixed in v1.2.2

[karianna]

OK, it is already there and musl is upgraded:

$ docker run --entrypoint="" --rm -it <image_id>/lib/libc.musl-x86_64.so.1
musl libc (x86_64)
Version 1.2.2
Dynamic Program Loader
Usage: /lib/libc.musl-x86_64.so.1 [options] [--] pathname [args]

However it seems like some vulnerability scanners think that v1.2.2 still suffer from CVE-2020-28928. AWS ECR scanner is one of them.

On the other hand official musl website says that CVE-2020-28928 is fixed in v1.2.2

Probably best to raise that with the scanner folks and/or musl folks :-).