Addressing several security vulnerabilities in the version v0.16.2

[thle40]

Release of version v0.16.2 run under Ubuntu 22.04.4 LT contains several vulnerabilities
Some vulnerabilities can be fixed by upgrading the version of affected packages as below.

as requirement of our security remediating process in our org, we would like to report vulnerabilities for this version (though we will follow your release process)

<style> </style>

CVE	SEVERITY	CVSS	PACKAGE	VERSION	STATUS
CVE-2024-37371	medium	0.00	krb5	1.19.2-2ubuntu0.3	fixed in 1.19.2-2ubuntu0.4
CVE-2024-37370	medium	0.00	krb5	1.19.2-2ubuntu0.3	fixed in 1.19.2-2ubuntu0.4
CVE-2024-26462	medium	0.00	krb5	1.19.2-2ubuntu0.3	needed
CVE-2024-2236	medium	0.00	libgcrypt20	1.9.4-3ubuntu3	deferred
CVE-2022-4899	low	7.50	libzstd	1.4.8+dfsg-3build1	needed
CVE-2023-50495	low	6.50	ncurses	6.3-2ubuntu0.1	needed
CVE-2016-2781	low	6.50	coreutils	8.32-4.1ubuntu1.2	deferred
CVE-2023-7008	low	5.90	systemd	249.11-0ubuntu3.12	needed
CVE-2022-27943	low	5.50	gcc-12	12.3.0-1ubuntu1~22.04	needed
CVE-2023-29383	low	3.30	shadow	1:4.8.1-2ubuntu2.2	needed
CVE-2022-3219	low	3.30	gnupg2	2.2.27-3ubuntu2.1	deferred
CVE-2024-5535	low	0.00	openssl	3.0.2-0ubuntu1.16	fixed in 3.0.2-0ubuntu1.17
CVE-2024-4741	low	0.00	openssl	3.0.2-0ubuntu1.16	fixed in 3.0.2-0ubuntu1.17
CVE-2024-4603	low	0.00	openssl	3.0.2-0ubuntu1.16	fixed in 3.0.2-0ubuntu1.17
CVE-2024-26461	low	0.00	krb5	1.19.2-2ubuntu0.3	needed
CVE-2024-2511	low	0.00	openssl	3.0.2-0ubuntu1.16	fixed in 3.0.2-0ubuntu1.17
CVE-2023-45918	low	0.00	ncurses	6.3-2ubuntu0.1	needed

[jmweir]

Definitely need these as well. Is it possible to prioritize patching openssl?

[chipzoller]

Those CVEs come from Red Hat's UBI 9 base image and they are present even in the latest tag (9.5) which device plugin uses indirectly. Red Hat also states in the VEX for the image they won't be fixing most of those OpenSSL CVEs (which are all low anyhow).