Multiple CVE with 1.8.0 release #10026
Comments
k8s-ci-robot
added
needs-triage
|
Thanks for your report. We are updating dependencies. |
|
how can we make sure what with any release , all package and there dependencies with there dependencies updated. Id guess its a updated command in the release CI |
|
That complication comes from legacy and infra dependencies, making the "popular" automations not-applicable. So serious rewrite is needed to automate hence there are manual procedures involved. And like @strongjz mentioned in the email thread, it has become a moving target as such under resource crunch (among other things) |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
/close |
|
@rikatz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
github-project-automation
bot
moved this from In Progress
to Done
in [SIG Network] Ingress NGINX
What scanner
Prisma Cloud from Palo Alto
What CVE was reported in the scanner findings?
1 go version 1.20.1 has 8 vulnerabilities
Status : fixed in golang 1.20.4
2 github.com/emicklei/go-restful/v3 version v3.9.0 has 1 vulnerability
Status : Fixed in: v3.10.0
3 - github.com/sirupsen/logrus version v1.8.1 has 1 vulnerability
Status : open
4 - openssl (used in libssl3, libcrypto3, openssl) version 3.1.0-r4 has 1 vulnerability
Status : Fixed in: 3.1.1-r0
What versions of the controller did you test with?
controller-v1.8.0
registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
Please provider other details that will help us determine the severity of the issue
Execpt #3 , the others could be solved by version bumping the dependancies
The text was updated successfully, but these errors were encountered: