update in progress for CVE-2022-0778 and CVE-2018-25032

[eli-darkly]

Hi - this is from the LaunchDarkly team, to anyone who may have seen a security warning for CVE-2022-0778 on our current Docker images. This CVE was previously reported against Alpine 3.14.3, which we previously used in our images. At that time, we issued a patch to update to Alpine 3.14.4. However, the Alpine 3.14.4 release did not include a full fix for this issue and it was subsequently reported against that version.

As soon as a Docker image for Alpine 3.14.5 has been released, we will do a corresponding Relay Proxy release to update to that version, and we'll close this issue.

More specifically, this is a vulnerability in the OpenSSL version that is bundled in Alpine. It's our belief that this does not affect the Relay Proxy, because we are using the TLS/SSL implementation in the Go runtime, not OpenSSL. However, it's still our policy to issue a patch whenever a vulnerability is flagged.

[eli-darkly]

Well, we were going to wait for the Alpine 3.14.5 patch to be available in Docker, since we prefer for our own Docker images to be based simply on one OS version with as few changes as possible. But it seems to be taking a while for Alpine to release that, so we're going to do a more targeted patch for this by separately upgrading the affected libraries (openssl and libretls). Once 3.14.5 is available we will also do a patch to update to that, since there may be other improvements there as well.

[eli-darkly]

Also, we just now started seeing a warning for CVE-2018-25032, without having changed any code, so I assume that that one only got into our security scanner's database a short time ago (despite the 2018 in the name, it was recently updated). So we'll address that as well.

[eli-darkly]

Well, by the time we finished validating those individual patches, the Alpine 3.14.5 Docker image became available, so we will likely just be using that.

[eli-darkly]

Released version 6.7.1.