openjdk:8-jre-alpine contains CVE-2018-14498

[ravipatel26]

Description:
get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.

CVSS v3.0 Severity and Metrics:
Base Score: 6.5 MEDIUM
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (V3 legend)
Impact Score: 3.6
Exploitability Score: 2.8

NVD Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-14498

I see that there is a patch for this vulnerability. Will it be applied to the openjdk:8-jre-alpine docker image in dockerhub?

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2018-14498
Looks like stretch is still vulnerable, and we would prefer to not patch above upstream. Not sure about Oraclelinux or Alpine

We update the images once a month for CVE's routinely.
https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves