-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open ssl CVE present in node cache 1.22.20 #590
Comments
Thanks, There are already newer images. Could you check 1.22.21? |
1.22.21 also has the same CVE's mentioned. Like you mentioned 1.22.22 is not accessible. I doubt that 1.22.22 doesn't have the CVE because the base images that are used to build(gcr.io/gke-release/distroless-iptables:v0.2.4-gke.2@sha256:de81db8d3d8d61fcc13bae7b8d4b1ca1248f8e88356e500e7cd9f3f9a1d35cf4 and gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) have the CVEs in them. If you could provide me the newer base images that I can use, I would be happy to contribute. I am unable to list latest tags. |
Hmm, does the static-debian has the vulnerability? AFAIK it should have no ssl libs. Maybe base-debian is affected? As it should have the ssl libs. As for the distroless-iptables let me ask, maybe there's soon a fixed version be released. And thanks for the report! |
My bad, yes, What open sourced repo is distroless-iptables part of? |
I've checked with the maintainers of the image. @i5haan could you help to check if the base-debian is affected? And then to make a PR for both images (or only one if needed)? I'd approve and release a new tag. Thanks! |
Latest base-debian is: gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d |
Thanks for sharing providing these images. For the base image, I will only update the distroless-iptables. |
I'm just thinking, if we're updating distroless-iptables, then updating the base-debian to the latest won't hurt as well. Could you please include the
at Line 32 in fed6049
In the PR as well? |
Oh, wait, the hash is the same for the base-debian. Yep, only distroless-iptables are for the update. |
Thanks for the approval! After the commit, when does it get released? |
Update distroless-iptables image #590
I've pushed the tag, we will promote the images to the k8s registry today-tomorrow. |
I ran some scans on registry.k8s.io/dns/k8s-dns-node-cache:1.22.2 and found out there are some open CVEs present in this image. The following is the summary
We need it remediated asap to keep infosec happy
The text was updated successfully, but these errors were encountered: