Luajit critical vulnerability preventing us from building out docker image

My Company’s EIS group is blocking our ability to build a new version of Kong 3.7.1 which relies on

archive-ubuntu/ubuntu/pool/universe/l/lua5.1/liblua5.1-0_5.1.5-9build2_amd64.deb

and

archive-ubuntu/ubuntu/pool/universe/l/lua5.1/lua5.1_5.1.5-9build2_amd64.deb

cve is CVE-2020-15889

is there a luajit version that has this remediated or time table for a fix?

@dgresham I’m investigating.

@rick just for additional context, we are needing to build a noble image as the current kong provided image is based on ubuntu-jammy which has an open ssl critical vulnerability that was addressed with noble. and this week we got blocked by the cve i mentioned in the original ask.

cve for open ssl is CVE-2024-5535

is kong going to provide a new image based on noble to address this cve?

also, per the noble ask, my colleague, jeremy justice posted an issue on using noble

created a pr that could be reviewed to move to noble

Thank you @dgresham

Regarding CVE-2024-5535, the next version of kong (3.9.0) will be openssl 3.2.3, which has the fix for this CVE. If you wish you can update the .requirements file and build with that version of openssl now. See chore(deps): bump openssl to 3.2.3 (#13623) · Kong/kong@f03ea81 · GitHub for reference .

The kong.deb package does not rely on the distro packages for these libraries. Kong builds and statically links to it’s own luajit and openssl and not the libraries provided by the distro. If you’d like to resolve the openssl cve, you would need to build kong from source.

According to a colleague, Kong is not susceptible to CVE-2020-15889, which is a vulnerability in lua 5.4.0. That may be the version in jammy, but that is not what kong uses which is found here in the filesystem: /usr/local/openresty/luajit/lib

when you go to 3.9 will this be with Noble? this is ubuntu’s current offering.

I believe that Kong would incorporate the PR filed on that release. I have flagged it internally. Thank you

is there any timetable for when 3.9.0 would be available?

@rick any timetable for 3.9.0?

@dgresham I don’t have the ability to share a reliable timeline with you. The code that will be released as part of 3.9 is being finalized now and then there is a strict validation and release process.