Skip to content
This repository has been archived by the owner on Jul 15, 2024. It is now read-only.

Vulnerable golang version used to package applicationset-controller #571

Open
rimasgo opened this issue Apr 4, 2022 · 2 comments
Open

Comments

@rimasgo
Copy link

rimasgo commented Apr 4, 2022

Hello,

Applicationset-controller packaged using old golang version which contains vulnerabilities.

{
"name": "go",
"version": "1.17.6",
"path": "/usr/local/bin/applicationset-controller",
"layerTime": 1646920413,
"knownVulnerabilities": 55
},

CVEs:

CVE-2022-23806 | critical | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 11-Feb-2022 00:00 | 21-Mar-2022 13:11
CVE-2022-24921 | high | | go | 1.17.6 | fixed in 1.17.8, 1.16.15 | 03-Mar-2022 00:00 | 21-Mar-2022 13:11
CVE-2022-23773 | high | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 18-Nov-2019 00:00 | 21-Mar-2022 13:11
CVE-2022-23772 | high | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 19-Jan-2022 00:00 | 21-Mar-2022 13:11

I have raised similar ticket for argocd package.

argoproj/argo-cd#8853

It was fixed under argoproj/argo-cd#8866

Could you please repackage the applicationset-controller and release new image with binary built with latest golang version?

Thanks!

@rishabh625
Copy link
Contributor

@wtam2018 @jgwest : should we have to re release older version?

@jgwest
Copy link
Member

jgwest commented Apr 5, 2022

None of the CVEs impact APIs that are consumed by the applicationset controller, AFAIK.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants