Hi everyone,
We’ve observed that the distroless tags currently report some OpenSSL vulnerabilities (details below), which appear to be resolved in version 3.3.5-5.azl3. In contrast, the azurelinux tags do not show these issues.
Since distroless images are based on Azure Linux 3.0, I wanted to clarify whether they are expected to track the same package versions and security updates as the azurelinux images, or if they follow a different update cadence.
If the latter, is there an expected timeline for these fixes to be incorporated into the distroless images?
Thanks in advance!
25-distroless
sha256:d73aae6cf3c6cae87a29ff38b4dc04f6f2ab9585a8ec3c3d34fe7b4a6d408691
mcr.microsoft.com/openjdk/jdk:25-distroless (azurelinux 3.0)
Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 0, CRITICAL: 0)
┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2026-28388 │ MEDIUM │ fixed │ 3.3.5-4.azl3 │ 3.3.5-5.azl3 │ openssl: OpenSSL: Denial of Service due to NULL pointer │
│ │ │ │ │ │ │ dereference in delta... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-28388 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-28389 │ │ │ │ │ openssl: OpenSSL: Denial of Service vulnerability in CMS │
│ │ │ │ │ │ │ processing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-28389 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-28390 │ │ │ │ │ openssl: OpenSSL: Denial of Service due to NULL pointer │
│ │ │ │ │ │ │ dereference in CMS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-28390 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-31789 │ │ │ │ │ openssl: OpenSSL: Heap buffer overflow on 32-bit systems │
│ │ │ │ │ │ │ from large X.509 certificate... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-31789 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-31790 │ │ │ │ │ openssl: openssl: Information Disclosure from Uninitialized │
│ │ │ │ │ │ │ Memory via Invalid RSA Public Key... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-31790 │
├──────────────┼────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ openssl-libs │ CVE-2026-28388 │ │ │ │ │ openssl: OpenSSL: Denial of Service due to NULL pointer │
│ │ │ │ │ │ │ dereference in delta... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-28388 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-28389 │ │ │ │ │ openssl: OpenSSL: Denial of Service vulnerability in CMS │
│ │ │ │ │ │ │ processing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-28389 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-28390 │ │ │ │ │ openssl: OpenSSL: Denial of Service due to NULL pointer │
│ │ │ │ │ │ │ dereference in CMS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-28390 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-31789 │ │ │ │ │ openssl: OpenSSL: Heap buffer overflow on 32-bit systems │
│ │ │ │ │ │ │ from large X.509 certificate... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-31789 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-31790 │ │ │ │ │ openssl: openssl: Information Disclosure from Uninitialized │
│ │ │ │ │ │ │ Memory via Invalid RSA Public Key... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-31790 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
25-azurelinux
sha256:4c61d706645ddd736e282734eb37fc4c62028ec972771bc8d179349151ed75ec
┌──────────────────────────────────────────────────────────────┬────────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ mcr.microsoft.com/openjdk/jdk:25-azurelinux (azurelinux 3.0) │ azurelinux │ 0 │ - │
└──────────────────────────────────────────────────────────────┴────────────┴─────────────────┴─────────┘
Hi everyone,
We’ve observed that the
distrolesstags currently report some OpenSSL vulnerabilities (details below), which appear to be resolved in version3.3.5-5.azl3. In contrast, theazurelinuxtags do not show these issues.Since distroless images are based on Azure Linux 3.0, I wanted to clarify whether they are expected to track the same package versions and security updates as the
azurelinuximages, or if they follow a different update cadence.If the latter, is there an expected timeline for these fixes to be incorporated into the
distrolessimages?Thanks in advance!
25-distroless
sha256:d73aae6cf3c6cae87a29ff38b4dc04f6f2ab9585a8ec3c3d34fe7b4a6d408691
25-azurelinux
sha256:4c61d706645ddd736e282734eb37fc4c62028ec972771bc8d179349151ed75ec