Alpine based sdk,runtime-deps with alpine-3.19 and alpine-3.20 ar affected by CVE-2024-5535 #5653
Description
Describe the Bug
alpine based images use
libcrypto3 version 3.3.1-r0
libssl3 version 3.3.1-r0
that are reported to be susceptible to CVE-2024-5535
Steps to Reproduce
use Anchore grype tool to scan sdk, runtime-deps built image and You get something like this
$ grype mcr.microsoft.com/dotnet/sdk:8.0-alpine
✔ Vulnerability DB [no update available]
✔ Loaded image mcr.microsoft.com/dotnet/sdk:8.0-alpine
✔ Parsed image sha256:b11cdb741756c274313c967bbbdd97f1a6912b7162cfa2fd6865f04f460b6337
✔ Cataloged packages [3817 packages]
✔ Scanned for vulnerabilities [9 vulnerability matches]
├── by severity: 2 critical, 1 high, 2 medium, 1 low, 0 negligible (3 unknown)
└── by status: 4 fixed, 5 not-fixed, 0 ignored
[0010] WARN cataloger failed cataloger=sbom-cataloger error=sbom format not recognized location=/usr/share/powershell/.store/powershell.linux.alpine/7.4.3/powershell.linux.alpine/7.4.3/too
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
curl 8.5.0-r0 apk CVE-2024-2398 High
curl 8.5.0-r0 apk CVE-2024-0853 Medium
curl 8.5.0-r0 apk CVE-2024-2004 Low
curl 8.5.0-r0 apk CVE-2024-2466 Unknown
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
nghttp2-libs 1.58.0-r0 apk CVE-2024-28182 Medium
Other Information
Github automated scanning cought this for me. Also docker.com lists alpine as being affected here