Opened 5 years ago

Closed 5 years ago

#703 closed defect (invalid)

Official nginx Docker images use OpenSSL 1.0.1e

Reported by: keunwoo@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.7.x
Keywords: Cc:
uname -a: $ docker run nginx:latest uname -a Linux ec4c56ef5a4b 3.13.0-39-generic #66-Ubuntu SMP Tue Oct 28 13:30:27 UTC 2014 x86_64 GNU/Linux
nginx -V: $ docker run nginx:latest nginx -V nginx version: nginx/1.7.9 built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

Steps to reproduce:

$ docker pull nginx:latest
$ docker run -d nginx:latest
$ docker cp <containerid>:/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 .
$ strings libssl.so.1.0.0 |grep 'OpenSSL'

I don't think the Docker image uses statically linked OpenSSL (in any case it would be surprising to bundle the .so if it did); see nginx -V reproduced below.

nginx should publish an image containing OpenSSL 1.0.1g or later (c.f. Heartbleed).

Change History (1)

comment:1 Changed 5 years ago by thresh

  • Resolution set to invalid
  • Status changed from new to closed

It is not a correct way to check if openssl vulnerabilities are fixed in that particular library. Debian Wheezy (which is what nginx official image is based on) has it fixed long ago by backporting a patch without changing the library version.

For more information, please refer to:

Note: See TracTickets for help on using tickets.