Opened 10 years ago
Closed 10 years ago
#703 closed defect (invalid)
Official nginx Docker images use OpenSSL 1.0.1e
Reported by: | Keunwoo Lee | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.7.x |
Keywords: | Cc: | ||
uname -a: |
$ docker run nginx:latest uname -a
Linux ec4c56ef5a4b 3.13.0-39-generic #66-Ubuntu SMP Tue Oct 28 13:30:27 UTC 2014 x86_64 GNU/Linux |
||
nginx -V: |
$ docker run nginx:latest nginx -V
nginx version: nginx/1.7.9 built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6 |
Description
Steps to reproduce:
$ docker pull nginx:latest
$ docker run -d nginx:latest
$ docker cp <containerid>:/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 .
$ strings libssl.so.1.0.0 |grep 'OpenSSL'
I don't think the Docker image uses statically linked OpenSSL (in any case it would be surprising to bundle the .so if it did); see nginx -V reproduced below.
nginx should publish an image containing OpenSSL 1.0.1g or later (c.f. Heartbleed).
Note:
See TracTickets
for help on using tickets.
It is not a correct way to check if openssl vulnerabilities are fixed in that particular library. Debian Wheezy (which is what nginx official image is based on) has it fixed long ago by backporting a patch without changing the library version.
For more information, please refer to: