~alpine/devel

3 2

RE: [Vulnerability] CVE-2023-0464

Haidar Deenmahomed (Proximity-Paris) <haidar.deenmahomed@proximity.fr>
Details
Message ID
<SN1PR18MB2093CB3A135E5EDA9F61C7EDE1929@SN1PR18MB2093.namprd18.prod.outlook.com>
DKIM signature
missing
Download raw message
1 year, 1 month ago 
Hello,

I am writing to bring to your attention a security vulnerability that was identified while running Jfrog Scan on a docker image based on Alpine 3.17. The scan highlighted CVE-2023-0464, which has the potential to create a denial-of-service (DoS) attack on affected systems.

I would like to know if there is an estimate of when this vulnerability will be addressed or any documentation that outlines the time estimates for fixing such issues. Please let me know if there are any actions I can take to help mitigate this risk in the meantime.

Thank you for your prompt attention to this matter.

Best regards,
Haidar

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution, or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email in error, please notify the sender immediately.

RE: [Vulnerability] CVE-2023-0464

Haidar Deenmahomed (Proximity-Paris) <haidar.deenmahomed@proximity.fr>
Details
Message ID
<SN1PR18MB2093D628F72D40DA4F2D7C7AE1929@SN1PR18MB2093.namprd18.prod.outlook.com>
In-Reply-To
<SN1PR18MB2093CB3A135E5EDA9F61C7EDE1929@SN1PR18MB2093.namprd18.prod.outlook.com> (view parent)
DKIM signature
missing
Download raw message
1 year, 1 month ago 
Hello,

I am writing to bring to your attention a security vulnerability that was identified while running Jfrog Scan on a docker image based on Alpine 3.17. The scan highlighted CVE-2023-0464, which has the potential to create a denial-of-service (DoS) attack on affected systems.

I would like to know if there is an estimate of when this vulnerability will be addressed or any documentation that outlines the time estimates for fixing such issues. Please let me know if there are any actions I can take to help mitigate this risk in the meantime.

Thank you for your prompt attention to this matter.

Best regards,
Haidar

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution, or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email in error, please notify the sender immediately.

Re: [Vulnerability] CVE-2023-0464

alice <alice@ayaya.dev>
Details
Message ID
<CRN2RXJEYBCF.2CP9H7KLNR80Z@sumire>
In-Reply-To
<SN1PR18MB2093CB3A135E5EDA9F61C7EDE1929@SN1PR18MB2093.namprd18.prod.outlook.com> (view parent)
DKIM signature
missing
Download raw message
1 year, 1 month ago 
On Mon Apr 3, 2023 at 1:07 PM CEST, Haidar Deenmahomed (Proximity-Paris) wrote:
>
> Hello,
>
> I am writing to bring to your attention a security vulnerability that was
> identified while running Jfrog Scan on a docker image based on Alpine 3.17. The

"based on" implies "nothing to do with us", as it's not just the "base image".
the 3.17.3 image has this fixed already.

> scan highlighted CVE-2023-0464, which has the potential to create a denial-of-
> service (DoS) attack on affected systems.

it was fixed in openssl 3.0.8-r1, https://security.alpinelinux.org/vuln/CVE-2023-0464,
2 weeks ago. `apk upgrade` is all one needs.

> I would like to know if there is an estimate of when this vulnerability will
> be addressed or any documentation that outlines the time estimates for fixing
> such issues. Please let me know if there are any actions I can take to help
> mitigate this risk in the meantime.
>
> Thank you for your prompt attention to this matter.
>
> Best regards,
> Haidar
>
> This email is intended only for the person or entity to which it is addressed
> and may contain information that is privileged, confidential or otherwise
> protected from disclosure. Dissemination, distribution, or copying of this
> email or the information herein by anyone other than the intended recipient,
> or an employee or agent responsible for delivering the message to the intended
> recipient, is prohibited. If you have received this email in error, please
> notify the sender immediately.

RE: [Vulnerability] CVE-2023-0464

Haidar Deenmahomed (Proximity-Paris) <haidar.deenmahomed@proximity.fr>
Details
Message ID
<SN1PR18MB20937C418C9D5450909F6317E1929@SN1PR18MB2093.namprd18.prod.outlook.com>
In-Reply-To
<CRN2RXJEYBCF.2CP9H7KLNR80Z@sumire> (view parent)
DKIM signature
missing
Download raw message
1 year, 1 month ago 
Thanks for your prompt reply.


Will check it.


Cheers,
Haidar

-----Original Message-----
From: alice <alice@ayaya.dev>
Sent: Monday, 3 April 2023 15:14
To: Haidar Deenmahomed (Proximity-Paris) <haidar.deenmahomed@proximity.fr>; ~alpine/devel@lists.alpinelinux.org
Cc: Kavish Roseeawon (Proximity-Paris) <kavish.roseeawon@proximity.fr>; Alex Lacour (Proximity-Paris) <alex.lacour@proximity.fr>; Bonie Kathiana Coder (Proximity-Paris) <bonie.coder@proximity.fr>; Akshini Sibartie (Proximity-Paris) <akshini.sibartie@proximity.fr>
Subject: Re: [Vulnerability] CVE-2023-0464

On Mon Apr 3, 2023 at 1:07 PM CEST, Haidar Deenmahomed (Proximity-Paris) wrote:
>
> Hello,
>
> I am writing to bring to your attention a security vulnerability that
> was identified while running Jfrog Scan on a docker image based on
> Alpine 3.17. The

"based on" implies "nothing to do with us", as it's not just the "base image".
the 3.17.3 image has this fixed already.

> scan highlighted CVE-2023-0464, which has the potential to create a
> denial-of- service (DoS) attack on affected systems.

it was fixed in openssl 3.0.8-r1, https://security.alpinelinux.org/vuln/CVE-2023-0464,
2 weeks ago. `apk upgrade` is all one needs.

> I would like to know if there is an estimate of when this
> vulnerability will be addressed or any documentation that outlines the
> time estimates for fixing such issues. Please let me know if there are
> any actions I can take to help mitigate this risk in the meantime.
>
> Thank you for your prompt attention to this matter.
>
> Best regards,
> Haidar
>
> This email is intended only for the person or entity to which it is
> addressed and may contain information that is privileged, confidential
> or otherwise protected from disclosure. Dissemination, distribution,
> or copying of this email or the information herein by anyone other
> than the intended recipient, or an employee or agent responsible for
> delivering the message to the intended recipient, is prohibited. If
> you have received this email in error, please notify the sender immediately.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution, or copying of this email or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this email in error, please notify the sender immediately.
Reply to thread Export thread (mbox)