Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 28C15225CCC
	for <~alpine/users@lists.alpinelinux.org>; Fri,  6 Sep 2024 15:56:09 +0000 (UTC)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-5bef295a429so2446172a12.2
        for <~alpine/users@lists.alpinelinux.org>; Fri, 06 Sep 2024 08:56:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kubra.com; s=google; t=1725638166; x=1726242966; darn=lists.alpinelinux.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0EdkEE3V910UagAz0ffSFGOFuBBQq6St7v3jI9JoB4A=;
        b=F0e9G01L0mIGocNxa2rfrFqxUeQFsJSZ29Gx/LryTufKb6lya1vMUVK5DevOHXr65t
         W96oA+O/Bk7LGyabg0EeXaU0UdmLbPbdg827vMZfUG9A8EewRw7HXhZ1QRHu5qcFFE/v
         YvUggLBmL9nx3xvxohJmZWiIvvbSyQfAd4BKY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1725638166; x=1726242966;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=0EdkEE3V910UagAz0ffSFGOFuBBQq6St7v3jI9JoB4A=;
        b=DcL1Zku7mnEDnCraktKnrbopd/C85V8cX3v9obrCLJh2oSjP5cxRM8A3o1/e9bbyNz
         wVkfy2HRYwMh0MP1pRr/OPCWOZD/ytanJcU8yT2w9nFRHx6Ls60Kdmdg1GO2/sGgQiEU
         FsMgDSQdjo+aQR67ETQX2kyjqNP2xPHuHGXe70qiaKs2WoukEtkPbSgxUr/OKDOc+dto
         DoGsT3MPFY7WL7WU61FCsNdrukSMzYv9xd8uH7FGgKf65tLA6elrLSrLXb4L9AbDiYBI
         PYqG7ozUyKK7dU2OcfbEJO6vaRUasUvascGYcJlvuVvJCo1aqLFADD27VXvpYKzUqlF8
         vLqw==
X-Gm-Message-State: AOJu0YzcUHz9QPRpSHOLzFLjrXKUt1olWRS2thSCY/2cX2Iq9jlnbEd+
	llQ7en7xZ33ZCee0xrHni/jnbxxXumJIrYxLC3+OW0FzCps93j51fRGz4nATpOAqcwd3ANkA5bw
	FjKGBL0m01F7Oty8z7uUl2NMAzQ8lT506K0Wj
X-Google-Smtp-Source: AGHT+IFe45gfqYMUxoN3eARsm4HitAt3XrKCVX6U03/pCScJh3Aj4hAGF+4gVXqg3okzCgB44V7M2+5ClqRU/Nz58Gw=
X-Received: by 2002:a05:6402:5207:b0:5c0:adad:98a2 with SMTP id
 4fb4d7f45d1cf-5c3dc7802afmr2034762a12.1.1725638165911; Fri, 06 Sep 2024
 08:56:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAA_o3bYVNjcjV3Cw+Pj1J-_xjDs+FLki_Yzh1xDvR0TP_USKbw@mail.gmail.com>
 <CAD+eXGR-4Z8ibXUXaWWSQha=AtzeA0zMvU4+OTkjK6tDE+Ci_g@mail.gmail.com>
In-Reply-To: <CAD+eXGR-4Z8ibXUXaWWSQha=AtzeA0zMvU4+OTkjK6tDE+Ci_g@mail.gmail.com>
From: Rick Hanton <rick.hanton@kubra.com>
Date: Fri, 6 Sep 2024 08:55:38 -0700
Message-ID: <CAA_o3bYY3pMPRNX5P0FeKvxx9e7tS9NCHbqNL8PS8GSPTy7DWQ@mail.gmail.com>
Subject: Re: Curious about next alpine release after 3.20.2
To: Konstantin Kulikov <k.kulikov2@gmail.com>
Cc: ~alpine/users@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Konstantin,

Aha, perfect - I was wondering when the APK upgrade would pick it up,
thanks for answering that.

To Pete's question, we're running Sysdig Secure scans on our docker
containerized (Java) services built on alpine-linux after the
container is built. Sysdig is able to both introspect the .jar package
[lib folder] for vulnerable dependencies and also analyzes the linux
operating system. Most of the time the findings are due to application
dependency issues, but occasionally something like this issue with the
expat lib comes up on the O/S. We do run an updated build of our
underlying container once a day and part of that build process runs
apk upgrade, so thanks to Celeste and others for pushing the update to
aports master quickly!

Thanks,
Rick Hanton

Rick Hanton
Sr. Manager, Communications Product Engineering, KUBRA
P: 651.747.5864 E: rick.hanton@kubra.com


*This email message, and any attachments, is intended only for the
named recipient(s)
and may contain information that is privileged and confidential. If
you have received this
message in error, please immediately notify the sender and delete this
email message.


On Fri, Sep 6, 2024 at 2:13=E2=80=AFAM Konstantin Kulikov <k.kulikov2@gmail=
.com> wrote:
>
> Update was merged in 3.20 branch, no need to wait for a new tag. Run
> apk upgrade on affected systems.
>
> On Thu, Sep 5, 2024 at 8:40=E2=80=AFPM Rick Hanton <rick.hanton@kubra.com=
> wrote:
> >
> > Hi folks, new to the mailing list but was just trying to understand
> > the normal pattern for patch releases of Alpine. It seemed like
> > releases usually were happening the 2nd/3rd week of each month until
> > there was none in August.
> >
> > I have a security dependency scanner screaming about CVE-2024-45490,
> > CVE-2024-45491, & CVE-2024-45492 that it looks like Celeste patched a
> > few hours ago in
> > https://git.alpinelinux.org/aports/commit/?id=3D342f67bbfd2ade7f7582ca7=
e1ad878ec41181997
> >
> > I was just wondering if there is any estimate of when the next patch
> > release of 3.20.x might occur with Celeste's fix so I can mute the
> > scanner till approximately that date. Thanks for the help!
> >
> > Rick Hanton