Security Vulnerability: Alpine Linux 3.20, 3.21 - openssl Man-in-the-Middle Vulnerability - 3.3.3-r0

[shwethadec01]

we have found security vulnerability w.r.t open-ssl for NVIDIA/Cuda, kindly have a look and provide the fix

Summary

Inclusion of vulnerable OpenSSL from Alpine base image

Details

TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. [CVE-2024-12797] Vendor Affected Components: Alpine Linux: 3.20 Alpine Linux: 3.21.

Action Required

Upgrade the base Alpine image and ensure OpenSSL is patched.

CVEs:

CVE-2024-12797

[shwethadec01]

Hi Team,
As it's been a while without a response, could you please provide an update and let us know if the issue has been acknowledged?

[shwethadec01]

Please also consider the following newly disclosed vulnerability:
Security Vulnerability: GNU C Library (glibc) 2.13 <= 2.40 - Local Arbitrary Code Execution Vulnerability - 2.41
Affected Versions: 2.13 to 2.40
Fixed in: 2.41
Impact: Local Arbitrary Code Execution
reference: GLIBC-SA-2025-0001