Received: from out-26.mta0.migadu.com (out-26.mta0.migadu.com [91.218.175.26])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 4D9452232DC
	for <~alpine/devel@lists.alpinelinux.org>; Mon,  3 Apr 2023 11:14:01 +0000 (UTC)
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ayaya.dev; s=key1;
	t=1680520440;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2QxHd3Gu/3Q/QTQo0vgLbR62C16RrCIpqeTKUnRDJgI=;
	b=wHF+heyOdKvCfaRKUqP/3dqlc7l1BvFezx08GXIq0hc3ssV047iWu/QUdA5eKbBxLTL409
	TWL0wA4vsnzHg33EuYgNVYK2kuHb+Aeh6IbB2Pg9gp9zLlB/E9gbNkYZUL+6vKnMXxXyVw
	2drqzsPN+7iwjsUx08YsrmiPc/xs51Y=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Mon, 03 Apr 2023 13:13:54 +0200
Message-Id: <CRN2RXJEYBCF.2CP9H7KLNR80Z@sumire>
Cc: "Kavish Roseeawon (Proximity-Paris)" <kavish.roseeawon@proximity.fr>,
 "Alex Lacour (Proximity-Paris)" <alex.lacour@proximity.fr>, "Bonie Kathiana
 Coder (Proximity-Paris)" <bonie.coder@proximity.fr>, "Akshini Sibartie
 (Proximity-Paris)" <akshini.sibartie@proximity.fr>
Subject: Re: [Vulnerability] CVE-2023-0464
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: "alice" <alice@ayaya.dev>
To: "Haidar Deenmahomed (Proximity-Paris)"
 <haidar.deenmahomed@proximity.fr>, "~alpine/devel@lists.alpinelinux.org"
 <~alpine/devel@lists.alpinelinux.org>
References: <SN1PR18MB20938EC944E7C2CF37FE1FB0E1929@SN1PR18MB2093.namprd18.prod.outlook.com> <SN1PR18MB2093CB3A135E5EDA9F61C7EDE1929@SN1PR18MB2093.namprd18.prod.outlook.com>
In-Reply-To: <SN1PR18MB2093CB3A135E5EDA9F61C7EDE1929@SN1PR18MB2093.namprd18.prod.outlook.com>
X-Migadu-Flow: FLOW_OUT

On Mon Apr 3, 2023 at 1:07 PM CEST, Haidar Deenmahomed (Proximity-Paris) wr=
ote:
>
> Hello,
>
> I am writing to bring to your attention a security vulnerability that was
> identified while running Jfrog Scan on a docker image based on Alpine 3.1=
7. The

"based on" implies "nothing to do with us", as it's not just the "base imag=
e".
the 3.17.3 image has this fixed already.

> scan highlighted CVE-2023-0464, which has the potential to create a denia=
l-of-
> service (DoS) attack on affected systems.

it was fixed in openssl 3.0.8-r1, https://security.alpinelinux.org/vuln/CVE=
-2023-0464,
2 weeks ago. `apk upgrade` is all one needs.

> I would like to know if there is an estimate of when this vulnerability w=
ill
> be addressed or any documentation that outlines the time estimates for fi=
xing
> such issues. Please let me know if there are any actions I can take to he=
lp
> mitigate this risk in the meantime.
>
> Thank you for your prompt attention to this matter.
>
> Best regards,
> Haidar
>
> This email is intended only for the person or entity to which it is addre=
ssed
> and may contain information that is privileged, confidential or otherwise
> protected from disclosure. Dissemination, distribution, or copying of thi=
s
> email or the information herein by anyone other than the intended recipie=
nt,
> or an employee or agent responsible for delivering the message to the int=
ended
> recipient, is prohibited. If you have received this email in error, pleas=
e
> notify the sender immediately.