-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.1.1x for CVE-2023-5678 #246
Comments
Thanks for the heads-up on that... unfortunately this is a tricky situation as This is because See this upstream OpenResty issue regarding upgrading OpenSSL to the 3.0 series. I'm going to leave the ticket open because operators should be aware of CVEs in their software. |
CVE-2023-5678 (cve.org) link led me to CVE-2023-5678 (NIST), which led me to the following: |
Thanks for these breadcrumbs! I would feel more comfortable if upstream OpenResty pulled this patch and then this project would apply it across all the flavors. But we do patch OpenSSL in our built-from-source builds, so we could apply that patch. I'll consider doing this. |
Looking at the latest openresty containers on Docker Hub, it looks like openresty is using
RESTY_OPENSSL_VERSION=1.1.1w
.I am wondering if there are any plans to update OpenSSL to the next version since there is a CVEs against it (Such as CVE-2023-5678).
Note: the alpine images that these containers are based off of have already addressed this issue, so I think this is just a matter of flippiing the version in the openresty application.
The text was updated successfully, but these errors were encountered: