CVE-2022-2068 for openssl version 3.0.2

[KafkaProServerless]

Hello team,

Just wanted to reach out with a small issue.

We build our projects, which are springboot 3.3.0-RC1, latest as of this writing, with maven and graalvm 22.0.1 latest as of this writing.
When we use mvn -Pnative spring-boot:build-image it pulls some buildpack images to build the final container.

The final container, while working fine, has been flagged by our internal scanners with a vulnerable openssl 3.0.2
Several CVEs are for this version of openssl.

May I ask if you could help bump openssl to the latest version?

Apologies if this issue is opened to the wrong buildpacks project. But as I am building springboot native image, I am not sure if this vulnerable openssl 3.0.2 is from springboot buildpack, native image buildpack, jammy tiny buildpack, or anything else.

Thank you

[dmikusa]

Our policy on updating the stacks (build & run images) is here -> https://paketo.io/docs/concepts/stacks/#when-are-paketo-stacks-updated

1. Make sure you're using the latest images (i.e. you don't have any versions pinned)
2. Make sure that you're using pull policy always when you build, this will force the build tools to check for newer images.

That should be it. If you're doing those two things, then you should get all of the latest fixes as soon as they are available.

If you have questions, you can look at the builder releases to see when the latest buildper was published. As I write this, it was about 10 hours ago. https://github.com/paketo-buildpacks/builder-jammy-tiny/releases

[loewenstein]

@KafkaProServerless If you us the latest builder version, then the most likely issue at hand is, that your scanner doesn't recognise Ubuntu patch versions and just reports vulnerabilities for the base OpenSSL 3.0.2.

[KafkaProServerless]

Checking both of your comments. Thanks a lot