Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V1.14.x CVE 2023 45288 #9451

Merged
merged 5 commits into from
May 9, 2024
Merged

V1.14.x CVE 2023 45288 #9451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
97b4fb4
update cloudbuilder
sheidkamp May 6, 2024
4f5b1eb
big kubectl bump
sheidkamp May 7, 2024
77f67e7
Update cve-kubctl-update.yaml
sheidkamp May 7, 2024
a8ef577
Update cve-kubctl-update.yaml
sheidkamp May 8, 2024
8c7f084
Update .trivyignore
sheidkamp May 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,14 @@ CVE-2022-41721
# This CVE has not yet been patched in the kubectl version we are using, however it should not
# affect us as kubernetes does not use the affected code path (see description in
# https://github.com/kubernetes/kubernetes/pull/118036).
CVE-2023-2253
CVE-2023-2253

# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
# and can be easily resolved by removing the misconfigured / malicious plugin
# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
# https://github.com/solo-io/gloo/issues/9186
# https://github.com/solo-io/gloo/issues/9187
# https://github.com/solo-io/gloo/issues/9189
CVE-2024-26147
13 changes: 13 additions & 0 deletions changelog/v1.14.30/cve-kubctl-update.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
changelog:
- type: DEPENDENCY_BUMP
dependencyOwner: bitnami
dependencyRepo: kubectl
dependencyTag: 1.27.13
issueLink: https://github.com/solo-io/gloo/issues/9442
description: Upgrade image used to build kubectl to pick up CVE fixes.
- type: DEPENDENCY_BUMP
dependencyOwner: solo-io
dependencyRepo: cloud-builders
dependencyTag: 0.7.6
issueLink: https://github.com/solo-io/gloo/issues/9442
description: Update clouderbuilder image to use updated version of Go to pick up CVE fixes.
8 changes: 4 additions & 4 deletions ci/cloudbuild/publish-artifacts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
steps:

- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.7.1'
- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.7.6'
id: 'prepare-workspace'
args:
- '--repo-name'
Expand Down Expand Up @@ -44,7 +44,7 @@ steps:
- 'us-central1-a'

# Run make targets to push docker images to quay.io
- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.1'
- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.6'
id: 'docker-push-extended'
args:
- 'docker-push-extended'
Expand All @@ -65,7 +65,7 @@ steps:
waitFor:
- 'docker-push-extended'

- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.1'
- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.6'
id: 'release-chart'
dir: *dir
args:
Expand All @@ -82,7 +82,7 @@ steps:
- 'gcr-auth'

# Run make targets to retag and push docker images to GCR
- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.1'
- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.6'
id: 'docker-push-extended-gcr'
dir: *dir
args:
Expand Down
2 changes: 1 addition & 1 deletion jobs/kubectl/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM bitnami/kubectl:1.25.15 as kubectl
FROM bitnami/kubectl:1.27.13 as kubectl

FROM alpine:3.17.6

Expand Down
Loading