@rick just for additional context, we are needing to build a noble image as the current kong provided image is based on ubuntu-jammy which has an open ssl critical vulnerability that was addressed with noble. and this week we got blocked by the cve i mentioned in the original ask.
cve for open ssl is CVE-2024-5535
is kong going to provide a new image based on noble to address this cve?
Regarding CVE-2024-5535, the next version of kong (3.9.0) will be openssl 3.2.3, which has the fix for this CVE. If you wish you can update the .requirements file and build with that version of openssl now. See chore(deps): bump openssl to 3.2.3 (#13623) · Kong/kong@f03ea81 · GitHub for reference .
The kong.deb package does not rely on the distro packages for these libraries. Kong builds and statically links to it’s own luajit and openssl and not the libraries provided by the distro. If you’d like to resolve the openssl cve, you would need to build kong from source.
According to a colleague, Kong is not susceptible to CVE-2020-15889, which is a vulnerability in lua 5.4.0. That may be the version in jammy, but that is not what kong uses which is found here in the filesystem: /usr/local/openresty/luajit/lib
@dgresham I don’t have the ability to share a reliable timeline with you. The code that will be released as part of 3.9 is being finalized now and then there is a strict validation and release process.