-
Notifications
You must be signed in to change notification settings - Fork 360
Closed as not planned
Labels
lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Description
What happened:
The recent trivy scan showed there are some CRITICAL and HIGH severity vulnerabilities in v3.6.4.
registry.k8s.io/sig-storage/csi-provisioner:v3.6.4 (debian 11.9)
================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)
csi-provisioner (gobinary)
==========================
Total: 3 (HIGH: 2, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.21.5 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├─────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
It seems some had been fixed in newer major versions. However, we cannot update to the major versions due to potential breaking changes mentioned in https://kubernetes-csi.github.io/docs/project-policies.html#versioning.
What is the supporting period for the minor versions? And could we have those CVE issues fixed?
What you expected to happen:
The CVE issues should be handled with the minor/patch release.
How to reproduce it:
Anything else we need to know?:
Environment:
- Driver version:
- Kubernetes version (use
kubectl version
): - OS (e.g. from /etc/os-release):
- Kernel (e.g.
uname -a
): - Install tools:
- Others:
Metadata
Metadata
Assignees
Labels
lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.Denotes an issue or PR that has aged beyond stale and will be auto-closed.