Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Bump docker/docker and k8s.io/kubernetes packages #363

Merged
merged 1 commit into from
May 14, 2024
Merged

Bump docker/docker and k8s.io/kubernetes packages #363

merged 1 commit into from
May 14, 2024

Conversation

nwneisen
Copy link
Collaborator

@nwneisen nwneisen commented May 14, 2024
edited
Loading 

nneisen:~/code/cri-dockerd (release/0.3): trivy fs .
2024-05-14T09:19:53.730-0600    INFO    Vulnerability scanning is enabled
2024-05-14T09:19:53.730-0600    INFO    Secret scanning is enabled
2024-05-14T09:19:53.730-0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-14T09:19:53.730-0600    INFO    Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-05-14T09:20:08.534-0600    INFO    Number of language-specific files: 2
2024-05-14T09:20:08.534-0600    INFO    Detecting gomod vulnerabilities...
2024-05-14T09:20:08.539-0600    INFO    Detecting pip vulnerabilities...

go.mod (gomod)
==============
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────────────┬────────────────┬──────────┬────────┬─────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │  Installed Version  │      Fixed Version      │                          Title                           │
├──────────────────────────┼────────────────┼──────────┼────────┼─────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-24557 │ MEDIUM   │ fixed  │ 24.0.7+incompatible │ 25.0.2, 24.0.9          │ moby: classic builder cache poisoning                    │
│                          │                │          │        │                     │                         │ https://avd.aquasec.com/nvd/cve-2024-24557               │
├──────────────────────────┼────────────────┼──────────┤        ├─────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2024-3177  │ LOW      │        │ 1.27.8              │ 1.27.13, 1.29.4, 1.28.9 │ kubernetes: kube-apiserver: bypassing mountable secrets  │
│                          │                │          │        │                     │                         │ policy imposed by the ServiceAccount admission plugin... │
│                          │                │          │        │                     │                         │ https://avd.aquasec.com/nvd/cve-2024-3177                │

Proposed Changes

  • Bump github.com/docker/docker to 24.0.9
  • Bump k8s.io/kubernetes to 1.27.13
nneisen:~/code/cri-dockerd (release/0.3): trivy fs .
2024-05-17T09:07:54.841-0600	INFO	Vulnerability scanning is enabled
2024-05-17T09:07:54.841-0600	INFO	Secret scanning is enabled
2024-05-17T09:07:54.841-0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T09:07:54.841-0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T09:08:06.941-0600	INFO	Number of language-specific files: 2
2024-05-17T09:08:06.941-0600	INFO	Detecting gomod vulnerabilities...
2024-05-17T09:08:06.946-0600	INFO	Detecting pip vulnerabilities...

@nwneisen nwneisen merged commit 683f70f into Mirantis:release/0.3 May 14, 2024
11 checks passed
@nwneisen nwneisen deleted the cves branch May 14, 2024 15:36
@nwneisen nwneisen changed the title Bump all reported CVEs Bump docker/docker and k8s.io/kubernetes packages May 14, 2024
@github-actions github-actions bot mentioned this pull request Sep 25, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nwneisen