Hi Everyone,
I was trying to find out if the...
# pact-brokerm
matt few
11/02/2022, 6:07 PMHi Everyone,
I was trying to find out if there is an open issue to patch OpenSSL vulnerability. Particularly the Pact-Broker Dockerfile using Alpine 3.15 below. Please let me know if this is not the right forum to post this question and direct me to the right direction.
Thank you,
Matthew
https://github.com/pact-foundation/pact_broker/blob/88b7df42ea593c20315d06a0206795ccaaf752a3/Dockerfile#L1
docker image vulnerability page: https://dso.docker.com/cve/DSA-2022-0001
CVE https://dso.docker.com/cve/CVE-2022-3602
y
Yousaf Nabi (pactflow.io)
11/02/2022, 6:18 PM
Hey,
have you checked the repo? that is where issues would be tend to be reported for visibility and action.
You can also fork the repository and provide a patch easily once tested.
m
matt few
11/02/2022, 6:27 PMGotcha. Yes I was looking through the repo->issues and I didn’t see any issue related to the OpenSSL vulnerability.
matt few
11/02/2022, 6:27 PMmatt few
11/02/2022, 6:27 PMAnd searching through Pact Foundation slack didn’t yield any results.
matt few
11/02/2022, 6:28 PMWould the best thing to do is to report the issue in the repo and try forking it to see if I can patch it?
💯 1
t
Timothy Jones
11/02/2022, 10:48 PMThat would be amazing, yes please
b
Beth (pactflow.io/Pact Broker/pact-ruby)
11/03/2022, 2:17 AM
PRs welcome!
Beth (pactflow.io/Pact Broker/pact-ruby)
11/03/2022, 2:17 AM
I can put out a new release as soon as the PR is done.
Beth (pactflow.io/Pact Broker/pact-ruby)
11/03/2022, 2:22 AM
I can see that here was a push to
2.7.6-alpine3.15Beth (pactflow.io/Pact Broker/pact-ruby)
11/03/2022, 2:22 AM
I’ve kicked off the release workflow - that may just be all we need to do.
Beth (pactflow.io/Pact Broker/pact-ruby)
11/03/2022, 2:36 AM
2.105.0.1 is out now. It passed trivy scan, so I assume it has the ssl fix in it
👍 1
m
matt few
11/03/2022, 9:26 PMAlpine did patched it:
main/openssl3: upgrade to 3.0.7 (CVE-2022-3602, CVE-2022-3786)
matt few
11/03/2022, 9:28 PMAnd I pull in the latest image 2.105.0.1 and see that alpine version was 3.16.2 so I think it’s fixed.
/ # cat /etc/os-releaseNAME="Alpine Linux"ID=alpineVERSION_ID=3.16.2PRETTY_NAME="Alpine Linux v3.16"y
Yousaf Nabi (pactflow.io)
11/04/2022, 1:24 PM
Thanks for checking this @matt few
I noted the pact-broker-docker repo doesn't have a security readme. https://github.com/pact-foundation/pact-broker-docker
do you think that would have helped you for guidance in how go about reporting, and potentially resolving
https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
Would the best thing to do is to report the issue in the repo and try forking it to see if I can patch it?Also to echo @Timothy Jones encouragement, this is the literally the dream for any open source project/maintainers
m
matt few
11/04/2022, 5:12 PMYes, I think that would help in guiding me how to approach this. I did the usual search in the repo and issues to find anything related to the vulnerability and also a lot googling. I just didn’t know what the next after that so I post the question here.
2 Views