-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are high vulnerabilities being addressed? #402
Comments
Could someone give an ETA on when the next release will be available and if it will incorporate resolution of the previously listed CVEs? |
These are vulns for the rust openssl package, how did you find that this repo written in golang uses those dependencies? I couldn't find anything related with ssl in https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/go.mod |
Thank you for the response. We are using AWS and the container is /k8s.gcr.io/sig-storage/hostpathplugin if that helps you. The scanner we are using is Sysdig and it is finding them as know, vulnerable CVEs so there is something about libssl and libcrypto deployed in this container that is triggering these high findings. This is an off the shelf container and not anything that we would have built. |
Gotcha there might be vulnerabilities in the image https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/Dockerfile. So this CSI Driver is used for testing purposes as a demo CSI Driver. I added this to our backlog but we don't have SLOs for components that aren't supposed to be used in production, cc @msau42. If you're using this in production maybe you should evaluate other solutions. |
@ronkara Please feel free to submit fixes for CVEs and we can help review and merge them. |
/help wanted |
hi @xing-yang , I don't have a mergeable fix but the files in question may be part of the alpine build or the linux-coreutils as the Sysdig container scan states they are OS vulns. The specific issue and the fix versions are as follows: libcrypto1.1 fix version 1.1.1t-r0 The CVEs are listed in the original message. Just because rust isn't being used, I suspect updating the build to latest version of alpine and linux-coreutils will resolve these vulnerabilities for us. |
Hi @xing-yang as @ronkara mentioned the following CVEs above: |
/help wanted please if someone has the capability of updating the underlying alpine build to see if this resolves the libcrypto1.1 fix version 1.1.1t-r0 and libssl1.1 fix version 1.1.1t-r0 per guidance from singhc1997. |
@ronkara wondering you will have some bandwidth to help fix this? |
Hello,
This is a question however vulnerability updating per NIST standards requires them to be resolved within specific timeframes. We would like to update to version 1.11 from 1.10 however we are not seeing resolution of the CVEs listed below even though there are fixes available. Can you tell me when version 1.12 will be released and if it will fix the libcrypto and libssl vulns associated with the CVEs? I am required to publish updates to our customers on a monthly basis regarding existing vulns and if they are not remediated within expected timeframes when the last time I contacted the vendor was, etc.
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286
thank you!
The text was updated successfully, but these errors were encountered: