04/12/2022, 8:45 AM
Hi I have question regarding Hydra external dependencies in context of CVE-2022-0778, we are using image v1.10.7-sqlite. I see there is build docker with CGO enabled:
I wonder if Hydra is actually somehow using OpenSSL in a way that CVE actually apply?
04/12/2022, 8:51 AM
I can confirm that the image is build using cgo we don't use openssl directly, but maybe go stdlib will use it? does the alpine version of that image contain a vulnerable openssl version?
04/12/2022, 8:52 AM
If I'm looking correctly it uses
and it's fixed in alpine 3.15.1
04/12/2022, 8:56 AM
I see, latest release uses
but I am not sure what it actually uses in the end 🤔
maybe you could submit a PR to bump alpine to
and we can release a new version later on?
04/12/2022, 8:58 AM
the main think I'm looking for if Hydra is doing potential certifcate parsing that could cause the described dos
if it's using other library to do this could you point me there so I can evaluete if this is an issue for the release that we are using?
talking about X.509 certificates to be precise
04/12/2022, 9:05 AM
I don't think we use it as go libraries typically don't use c dependencies randomly, and you can compile hydra without cgo without a problem but I'd have to check
04/12/2022, 10:30 AM
go uses its own tls library, it doesn't use openssl
hence it is possible to use a go app with all cryptographic features in a scratch container