Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need fix for CVE-2023-45288 #261

Closed
andriisoldatenko opened this issue May 8, 2024 · 9 comments
Closed

Need fix for CVE-2023-45288 #261

andriisoldatenko opened this issue May 8, 2024 · 9 comments

Comments

@andriisoldatenko
Copy link

If we bump go version from go1.21.5 to go1.21.10 we can solve the issue.

GHSA-4v7x-pqxf-cx7m

Please let me know if you need help, I can try to contribute if you accept the PR.
@andriisoldatenko
Copy link
Author

@ggriffiths could you please help to understand how to bump go version? I see https://github.com/kubernetes/kubernetes/blob/master/.go-version#L1

and I see

livenessprobe/release-tools/prow.sh

Line 89 in f8c3f43

configvar CSI_PROW_GO_VERSION_BUILD "1.21.5" "Go version for building the component" # depends on component's source code

but it's unclear how to bump it correctly.

@jsafrane
Copy link
Contributor

I think this repo will get a new go version when it gets updated to Kubernetes 1.30 libraries. I'm waiting for a new github.com/kubernetes-csi/csi-lib-utils tag and then we will update all CSI sidecars.

@andriisoldatenko
Copy link
Author

@jsafrane thanks!

@jwstein3400
Copy link

@jsafrane Hi it appears that a new tag was released last week: https://github.com/kubernetes-csi/csi-lib-utils/releases/tag/v0.18.0
Does that mean we can expect to see all the CSI sidecars uplifted and tagged for release?

@andriisoldatenko
Copy link
Author

andriisoldatenko commented May 28, 2024
edited
Loading

Problem that new release doesn't exist in registry:

Trying to pull registry.k8s.io/sig-storage/livenessprobe:v2.13.0...
Error: initializing source docker://registry.k8s.io/sig-storage/livenessprobe:v2.13.0: reading manifest v2.13.0 in registry.k8s.io/sig-storage/livenessprobe: manifest unknown: Failed to fetch "v2.13.0"

cc @jsafrane

@jsafrane
Copy link
Contributor

jsafrane commented May 31, 2024
edited
Loading

Windows image build fails because of microsoft/Windows-Containers#493 :-(
We need fixed Windows base images to get a final 2.13 build of all images.

@andriisoldatenko
Copy link
Author

@jsafrane it seems related ticket has been resolved microsoft/Windows-Containers#493,

Could you please check why I still can't pull an image?

Trying to pull registry.k8s.io/sig-storage/livenessprobe:v2.13.0...
Error: initializing source docker://registry.k8s.io/sig-storage/livenessprobe:v2.13.0: reading manifest v2.13.0 in registry.k8s.io/sig-storage/livenessprobe: manifest unknown: Failed to fetch "v2.13.0"

@jsafrane
Copy link
Contributor

I published livenessprobe:v2.13.1 this week, I am not able to re-build and re-publish v2.13.0 :-(

@andriisoldatenko
Copy link
Author

I think issue was resolved so I close it because image is avaialble.

thanks a lot for you help @jsafrane

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andriisoldatenko @jsafrane @jwstein3400