Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): vulnerabilities found in keychain-vault-server #2058

Closed
zondervancalvez opened this issue Jun 1, 2022 · 2 comments
Closed

fix(security): vulnerabilities found in keychain-vault-server #2058

zondervancalvez opened this issue Jun 1, 2022 · 2 comments
Labels
dependencies Pull requests that update a dependency file Keychain Tasks/bugs related to the Keychain plugin core interfaces or any of the implementations themselves. P2 Priority 2: High Security Related to existing or potential security vulnerabilities

Comments

@zondervancalvez
Copy link
Contributor

List of vulnerabilities found in keychain-vault-server image during Azure Container scan.

VULNERABILITY ID PACKAGE NAME SEVERITY
CVE-2021-22946 curl HIGH
CVE-2022-1304 e2fsprogs HIGH
CVE-2018-12886 gcc-8-base HIGH
CVE-2022-29458 libtinfo6 HIGH
CVE-2019-3843 libudev1 HIGH
CVE-2019-3844 libudev1 HIGH
CVE-2022-29458 ncurses-base HIGH
CVE-2022-29458 ncurses-bin HIGH
CVE-2020-16156 perl-base HIGH
@petermetz petermetz added P2 Priority 2: High dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities Keychain Tasks/bugs related to the Keychain plugin core interfaces or any of the implementations themselves. labels Jun 2, 2022
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 11, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
567cb22 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
@aldousalvarez aldousalvarez mentioned this issue Jan 11, 2023
Closed
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 11, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
e0193b3 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 23, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
48cf843 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 23, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
0a2039f 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 24, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
091f07b 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 24, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
63b19bc 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 25, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
57a3b42 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 25, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
a8ede67 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jan 25, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
35b66ed 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Feb 16, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
6e2f52a 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Feb 16, 2023
@aldousalvarez
fix(security): vulnerabilities found in keychain-vault-server
122a073 
Fixes hyperledger-cacti#2058

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
@ruzell22
Copy link
Contributor

ruzell22 commented Apr 6, 2023

Hello @petermetz , can you assign this to me? Thank you.

ruzell22 added a commit to ruzell22/cactus that referenced this issue Jul 24, 2023
@ruzell22
fix(security): vulnerabilities found in keychain-vault-server hyperle…
31787e5 
…dger-cacti#2058

fixes: hyperledger-cacti#2058
Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
@ruzell22 ruzell22 mentioned this issue Jul 24, 2023
Closed
ruzell22 added a commit to ruzell22/cactus that referenced this issue Jul 25, 2023
@ruzell22
fix(security): vulnerabilities found in keychain-vault-server hyperle…
9d174ad 
…dger-cacti#2058

fixes: hyperledger-cacti#2058

trivy scanner verified that the vulnerabilities in keychain-vault-server
is not appearing anymore. CVEs are the following
- CVE-2021-22946
- CVE-2022-1304
- CVE-2018-12886
- CVE-2022-29458
- CVE-2019-3843
- CVE-2019-3844
- CVE-2022-29458 (base)
- CVE-2022-29458 (bin)
- CVE-2020-16156

No changes was needed to be merged.

Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
ruzell22 added a commit to ruzell22/cactus that referenced this issue Jul 25, 2023
@ruzell22
fix(keychain-vault-server): address CVEs: CVE-2021-22946, CVE-2022-1304
05fb935 
…, CVE-2018-12886, CVE-2022-29458, CVE-2019-3843, CVE-2019-3844, CVE-2022-29458, CVE-2020-16156

fixes: hyperledger-cacti#2058

trivy scanner verified that the vulnerabilities in keychain-vault-server
is not appearing anymore. CVEs are the following
- CVE-2021-22946
- CVE-2022-1304
- CVE-2018-12886
- CVE-2022-29458
- CVE-2019-3843
- CVE-2019-3844
- CVE-2022-29458 (base)
- CVE-2022-29458 (bin)
- CVE-2020-16156

No changes was needed to be merged.

Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
@petermetz
Copy link
Contributor

Closing as done because the vulnerabilities have been addressed by some other PR in the meantime as evidenced by https://github.com/hyperledger/cacti/pull/2565

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file Keychain Tasks/bugs related to the Keychain plugin core interfaces or any of the implementations themselves. P2 Priority 2: High Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
3 participants
@petermetz @zondervancalvez @ruzell22