Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k3d/5.6.0-r9: cve remediation #16427

Merged
merged 2 commits into from
Apr 9, 2024
Merged

k3d/5.6.0-r9: cve remediation #16427

merged 2 commits into from
Apr 9, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Apr 6, 2024

@debasishbsws
Copy link
Member

These CVE's are not present in the ain k3d package it is in the k3d-proxy and it come from https://github.com/iwilltry42/confd which is not getting maintained I think. the last commit was 2 years ago.
I am looking if there is any way to update go modules.

@debasishbsws
Update the proxy from forked one to the original one.
de2b795 
K3d was using a fork of kelseyhightower/confd with almost no code update, just go version update with go.mod file that is not present in the original repo last relese. Now using this as deps are way more updated there compare to the forkes one k3d is using

Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 6, 2024

Package k3d: Click to expand/collapse

Package k3d:
Modified: /usr/bin/k3d

Package k3d-tools: Click to expand/collapse

Package k3d-tools:
Modified: /usr/bin/k3d-tools

Package k3d-proxy: Click to expand/collapse

Package k3d-proxy:
Modified: /usr/bin/confd

bincapz found differences: Click to expand/collapse

Changed: k3d-proxy/usr/bin/confd

Previous Risk: 🚨 4/CRITICAL
New Risk: ✅ 2/MEDIUM

RISK KEY DESCRIPTION
-4/CRITICAL ref/site/tor_onion contains hardcoded TOR onion address: "rtexistscgetvsgetenvnetdnsdomaingophertelnetreturnlisten.onion"
+2/MEDIUM ref/path/root references paths within /root: "/root/sign-self-issued
/root/sys/sealincrement%w"
+2/MEDIUM ref/program/sudo calls sudo: "sudo"
+2/MEDIUM ref/words/intercept references interception: "interceptor"
-1/LOW compression/bzip2 works with bzip2 files

@debasishbsws
Copy link
Member

debasishbsws commented Apr 6, 2024
edited
Loading

K3d was using a fork of kelseyhightower/confd with almost no code update, they just updated go version with go.mod file that is not present in the original repo's last release.

As there are a lot of CVE in the forked confd k3d is using compared to the original confd that has been updated with new dependencies it is better to use that one. ISSUE is that the latest release was in 2018 May. And the changes are recent. I avoid git-checkout to the last tag and instead use simple git commands in the runs statement.

It fixes all the CVE's but not sure if there Is any better way.

hectorj2f
hectorj2f reviewed Apr 6, 2024
View reviewed changes
k3d.yaml Show resolved Hide resolved
pdeslaur
pdeslaur reviewed Apr 6, 2024
View reviewed changes
k3d.yaml Show resolved Hide resolved
@pdeslaur pdeslaur merged commit 505a4f2 into main Apr 9, 2024
8 checks passed
@pdeslaur pdeslaur deleted the cve-k3d-069629115e3e8ec352dacaaa267266dc branch April 9, 2024 16:27
This was referenced Nov 21, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@debasishbsws debasishbsws debasishbsws left review comments

@pdeslaur pdeslaur pdeslaur left review comments

@hectorj2f hectorj2f hectorj2f approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@debasishbsws @pdeslaur @hectorj2f