Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Vulnerable to CVE-2023-4039 #13136

Closed
Kostov6 opened this issue Mar 31, 2025 · 2 comments
Closed

Vulnerable to CVE-2023-4039 #13136

Kostov6 opened this issue Mar 31, 2025 · 2 comments
Assignees
@Gacko @strongjz
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@Kostov6
Copy link

Kostov6 commented Mar 31, 2025
edited
Loading

What CVE was reported in the scanner findings?

CVE-2023-4039

What versions of the controller did you test with?

  • registry.k8s.io/ingress-nginx/controller:v1.12.1
  • registry.k8s.io/ingress-nginx/controller:v1.11.5
@Kostov6 Kostov6 added the kind/bug Categorizes issue or PR as related to a bug. label Mar 31, 2025
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Mar 31, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Gacko
Copy link
Member

Gacko commented Mar 31, 2025

Can you please share additional information on this? I looked up which GCC version provided by Alpine includes fixes for this (https://security.alpinelinux.org/vuln/CVE-2023-4039) and according to the latest build log we are using a fixed version (14.2.0-r4):

https://storage.googleapis.com/kubernetes-ci-logs/logs/post-ingress-nginx-nginx/1904182009597530112/artifacts/build.log

#14 [linux/arm64 builder 3/3] RUN apk update   && apk upgrade   && apk add -U bash --no-cache   && /build.sh
#14 10.39 (1/353) Installing libcap2 (2.71-r0)
#14 10.77 (2/353) Installing libcap-getcap (2.71-r0)
#14 10.78 (3/353) Installing fakeroot (1.36-r0)
#14 10.81 (4/353) Installing libgcc (14.2.0-r4)
#14 10.87 (5/353) Installing libstdc++ (14.2.0-r4)
#14 11.06 (6/353) Installing lzip (1.24.1-r1)
#14 11.08 (7/353) Installing openssl (3.3.3-r0)
#14 11.13 (8/353) Installing patch (2.7.6-r10)
#14 11.16 (9/353) Installing pkgconf (2.3.0-r0)
#14 11.18 (10/353) Installing acl-libs (2.3.2-r1)
#14 11.20 (11/353) Installing tar (1.35-r2)
#14 11.24 (12/353) Installing abuild (3.14.1-r4)
#14 11.26 Executing abuild-3.14.1-r4.pre-install
#14 11.33 (13/353) Installing abuild-sudo (3.14.1-r4)
#14 11.35 (14/353) Installing jansson (2.14-r4)
#14 11.37 (15/353) Installing zstd-libs (1.5.6-r2)
#14 11.42 (16/353) Installing binutils (2.43.1-r2)
#14 11.81 (17/353) Installing libmagic (5.46-r2)
#14 11.92 (18/353) Installing file (5.46-r2)
#14 11.94 (19/353) Installing libgomp (14.2.0-r4)
#14 11.97 (20/353) Installing libatomic (14.2.0-r4)
#14 11.98 (21/353) Installing gmp (6.3.0-r2)
#14 12.01 (22/353) Installing isl26 (0.26-r1)
#14 12.09 (23/353) Installing mpfr4 (4.2.1-r0)
#14 12.13 (24/353) Installing mpc1 (1.3.1-r1)
#14 12.15 (25/353) Installing gcc (14.2.0-r4)
#14 15.90 (26/353) Installing libstdc++-dev (14.2.0-r4)
#14 16.48 (27/353) Installing musl-dev (1.2.5-r9)
#14 16.75 (28/353) Installing g++ (14.2.0-r4)
#14 17.91 (29/353) Installing make (4.4.1-r2)
#14 17.93 (30/353) Installing fortify-headers (1.1-r5)
#14 17.95 (31/353) Installing build-base (0.5-r3)
#14 17.95 (32/353) Installing brotli-libs (1.1.0-r2)
#14 18.00 (33/353) Installing c-ares (1.34.3-r0)
#14 18.02 (34/353) Installing libunistring (1.2-r0)
#14 18.08 (35/353) Installing libidn2 (2.3.7-r0)
#14 18.10 (36/353) Installing nghttp2-libs (1.64.0-r0)
#14 18.12 (37/353) Installing libpsl (0.21.5-r3)
#14 18.14 (38/353) Installing libcurl (8.12.1-r1)
#14 18.18 (39/353) Installing libexpat (2.7.0-r0)
#14 18.20 (40/353) Installing pcre2 (10.43-r0)
#14 18.23 (41/353) Installing git (2.47.2-r0)
#14 18.51 (42/353) Installing git-init-template (2.47.2-r0)
#14 18.53 (43/353) Installing alpine-sdk (1.1-r0)
#14 18.53 (44/353) Installing m4 (1.4.19-r3)
#14 18.55 (45/353) Installing libbz2 (1.0.8-r6)
#14 18.57 (46/353) Installing perl (5.40.1-r0)
#14 19.69 (47/353) Installing perl-error (0.17029-r2)
#14 19.70 (48/353) Installing perl-git (2.47.2-r0)
#14 19.72 (49/353) Installing git-perl (2.47.2-r0)
#14 19.74 (50/353) Installing autoconf (2.72-r0)
#14 19.82 (51/353) Installing automake (1.17-r0)
#14 19.88 (52/353) Installing bc (1.07.1-r5)
#14 19.90 (53/353) Installing bison (3.8.2-r1)
#14 19.96 (54/353) Installing c-ares-dev (1.34.3-r0)
#14 20.06 (55/353) Installing ca-certificates (20241121-r1)
#14 20.11 (56/353) Installing clang19-headers (19.1.4-r0)
#14 20.31 (57/353) Installing libffi (3.4.7-r0)
#14 20.33 (58/353) Installing xz-libs (5.6.3-r0)
#14 20.35 (59/353) Installing libxml2 (2.13.4-r5)
#14 20.40 (60/353) Installing llvm19-libs (19.1.4-r0)

@Gacko Gacko closed this as completed Mar 31, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@Gacko Gacko

@strongjz strongjz

Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Gacko @strongjz @Kostov6 @k8s-ci-robot