~alpine/users

2 2

Curious about next alpine release after 3.20.2

Details
Message ID
<CAA_o3bYVNjcjV3Cw+Pj1J-_xjDs+FLki_Yzh1xDvR0TP_USKbw@mail.gmail.com>
DKIM signature
missing
Download raw message
Hi folks, new to the mailing list but was just trying to understand
the normal pattern for patch releases of Alpine. It seemed like
releases usually were happening the 2nd/3rd week of each month until
there was none in August.

I have a security dependency scanner screaming about CVE-2024-45490,
CVE-2024-45491, & CVE-2024-45492 that it looks like Celeste patched a
few hours ago in
https://git.alpinelinux.org/aports/commit/?id=342f67bbfd2ade7f7582ca7e1ad878ec41181997

I was just wondering if there is any estimate of when the next patch
release of 3.20.x might occur with Celeste's fix so I can mute the
scanner till approximately that date. Thanks for the help!

Rick Hanton
Konstantin Kulikov <k.kulikov2@gmail.com>
Details
Message ID
<CAD+eXGR-4Z8ibXUXaWWSQha=AtzeA0zMvU4+OTkjK6tDE+Ci_g@mail.gmail.com>
In-Reply-To
<CAA_o3bYVNjcjV3Cw+Pj1J-_xjDs+FLki_Yzh1xDvR0TP_USKbw@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
Update was merged in 3.20 branch, no need to wait for a new tag. Run
apk upgrade on affected systems.

On Thu, Sep 5, 2024 at 8:40 PM Rick Hanton <rick.hanton@kubra.com> wrote:
>
> Hi folks, new to the mailing list but was just trying to understand
> the normal pattern for patch releases of Alpine. It seemed like
> releases usually were happening the 2nd/3rd week of each month until
> there was none in August.
>
> I have a security dependency scanner screaming about CVE-2024-45490,
> CVE-2024-45491, & CVE-2024-45492 that it looks like Celeste patched a
> few hours ago in
> https://git.alpinelinux.org/aports/commit/?id=342f67bbfd2ade7f7582ca7e1ad878ec41181997
>
> I was just wondering if there is any estimate of when the next patch
> release of 3.20.x might occur with Celeste's fix so I can mute the
> scanner till approximately that date. Thanks for the help!
>
> Rick Hanton
Details
Message ID
<CAA_o3bYY3pMPRNX5P0FeKvxx9e7tS9NCHbqNL8PS8GSPTy7DWQ@mail.gmail.com>
In-Reply-To
<CAD+eXGR-4Z8ibXUXaWWSQha=AtzeA0zMvU4+OTkjK6tDE+Ci_g@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
Konstantin,

Aha, perfect - I was wondering when the APK upgrade would pick it up,
thanks for answering that.

To Pete's question, we're running Sysdig Secure scans on our docker
containerized (Java) services built on alpine-linux after the
container is built. Sysdig is able to both introspect the .jar package
[lib folder] for vulnerable dependencies and also analyzes the linux
operating system. Most of the time the findings are due to application
dependency issues, but occasionally something like this issue with the
expat lib comes up on the O/S. We do run an updated build of our
underlying container once a day and part of that build process runs
apk upgrade, so thanks to Celeste and others for pushing the update to
aports master quickly!

Thanks,
Rick Hanton

Rick Hanton
Sr. Manager, Communications Product Engineering, KUBRA
P: 651.747.5864 E: rick.hanton@kubra.com


*This email message, and any attachments, is intended only for the
named recipient(s)
and may contain information that is privileged and confidential. If
you have received this
message in error, please immediately notify the sender and delete this
email message.


On Fri, Sep 6, 2024 at 2:13 AM Konstantin Kulikov <k.kulikov2@gmail.com> wrote:
>
> Update was merged in 3.20 branch, no need to wait for a new tag. Run
> apk upgrade on affected systems.
>
> On Thu, Sep 5, 2024 at 8:40 PM Rick Hanton <rick.hanton@kubra.com> wrote:
> >
> > Hi folks, new to the mailing list but was just trying to understand
> > the normal pattern for patch releases of Alpine. It seemed like
> > releases usually were happening the 2nd/3rd week of each month until
> > there was none in August.
> >
> > I have a security dependency scanner screaming about CVE-2024-45490,
> > CVE-2024-45491, & CVE-2024-45492 that it looks like Celeste patched a
> > few hours ago in
> > https://git.alpinelinux.org/aports/commit/?id=342f67bbfd2ade7f7582ca7e1ad878ec41181997
> >
> > I was just wondering if there is any estimate of when the next patch
> > release of 3.20.x might occur with Celeste's fix so I can mute the
> > scanner till approximately that date. Thanks for the help!
> >
> > Rick Hanton
Reply to thread Export thread (mbox)