Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): address CVE-2023-39325, CVE-2023-47108 and GHSA-m425-mq9… #402

Merged
merged 1 commit into from
Jan 18, 2024
Merged

chore(deps): address CVE-2023-39325, CVE-2023-47108 and GHSA-m425-mq9… #402

merged 1 commit into from
Jan 18, 2024

Conversation

cmontemuino
Copy link
Contributor

Upgrade images to fix the following vulnerabilities:

Description

CVE-2023-47108 and CVE-2023-39325 fixed in v2.10.0 from node-driver-registar

GHSA-m425-mq94-257g fixed in v2.10.0 from node-driver-registar, and v6.3.3 from csi-snapshotter (and controller) images.

Motivation and Context

Have no HIGH vulnerabilities in mayastor-extensions

Regression

No
--- see how your change affects other areas of the code, etc. -->

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added unit tests to cover my changes.
    • It not applicable to this changeset

@cmontemuino
Copy link
Contributor Author

This other PR is blocking #402

  • csi-node-driver-registrar v2.10.0 has not been published yet

@tiagolobocastro tiagolobocastro added the DO NOT MERGE Bors-compliant label to avoid accidental merges label Jan 9, 2024
@tiagolobocastro
Copy link
Contributor

This other PR is blocking #402

* csi-node-driver-registrar v2.10.0 has not been published yet

The release seems to be there though? https://github.com/kubernetes-csi/node-driver-registrar/releases/tag/v2.10.0

@cmontemuino
Copy link
Contributor Author

This other PR is blocking #402

* csi-node-driver-registrar v2.10.0 has not been published yet

The release seems to be there though? https://github.com/kubernetes-csi/node-driver-registrar/releases/tag/v2.10.0

Yes, the release is there, but the image has not been published. AFAIK that's done in a different repo (basically the one I've created that other PR).

@tiagolobocastro
Copy link
Contributor

Yes, the release is there, but the image has not been published. AFAIK that's done in a different repo (basically the one I've created that other PR).

Ah, which other PR?

@cmontemuino
Copy link
Contributor Author

Yes, the release is there, but the image has not been published. AFAIK that's done in a different repo (basically the one I've created that other PR).

Ah, which other PR?

Apologies! I was pasting the wrong PR link 🤦 : kubernetes/k8s.io#6256

@tiagolobocastro
Copy link
Contributor

Apologies! I was pasting the wrong PR link 🤦 : kubernetes/k8s.io#6256

no worries, it happens :)
Got it, cool! I've added a blocking label here to prevent this from getting merged, please remove the label or ping us once 2.10 is merged. Thanks!

@cmontemuino
Copy link
Contributor Author

@tiagolobocastro csi-node-driver-registrar v2.10.0 image is available already.
It's ok to proceed with this PR.

@cmontemuino cmontemuino force-pushed the address-vulnerabilities-csi-images branch from 16b488d to 7c6b029 Compare January 10, 2024 14:12
@cmontemuino
chore(deps): address CVE-2023-39325, CVE-2023-47108 and GHSA-m425-mq9…
d4e7102 
…4-257g

CVE-2023-47108 and CVE-2023-39325 fixed in v2.10.0 from
node-driver-registar

GHSA-m425-mq94-257g fixed in v2.10.0 from node-driver-registar,
and v6.3.3 from csi-snapshotter (and controller) images.

https://avd.aquasec.com/nvd/2023/cve-2023-47108/
https://avd.aquasec.com/nvd/2023/cve-2023-39325/
GHSA-m425-mq94-257g
Signed-off-by: cmontemuino <1761056+cmontemuino@users.noreply.github.com>
@cmontemuino cmontemuino force-pushed the address-vulnerabilities-csi-images branch from 7c6b029 to d4e7102 Compare January 10, 2024 14:14
@tiagolobocastro
Copy link
Contributor

@niladrih @Abhinandan-Purkait can we get a review here? thanks

@tiagolobocastro
Copy link
Contributor

bors merge

@bors-openebs-mayastor
Copy link
Contributor

👎 Rejected by label

@tiagolobocastro tiagolobocastro removed the DO NOT MERGE Bors-compliant label to avoid accidental merges label Jan 18, 2024
@tiagolobocastro
Copy link
Contributor

bors merge

@bors-openebs-mayastor
Copy link
Contributor

Build succeeded:

@bors-openebs-mayastor bors-openebs-mayastor bot merged commit a6a3494 into openebs:develop Jan 18, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@niladrih niladrih niladrih approved these changes

@tiagolobocastro tiagolobocastro tiagolobocastro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cmontemuino @tiagolobocastro @niladrih