Closed rvdheij closed 6 months ago
I have multiple customers who also rely on this dependency. Is there any update as to when this update will be made available?
@jbostian, Please see question above.
We'll take a look and estimate an update for this. I don't currently have a timeframe for an upgrade, but we'll try to get something soon.
Hi @jbostian Any update? Thanks, Josh
If you're not afraid to take gifts from strangers, you might like this one
docker pull rvdheij/grafana:9.5.13
Be aware that it runs the grafana process not as root anymore, so you may have to chown
things in a persistent volume.
I just wanted to provide an update..
As of now, I have updated the unix libs/services in all currently hosted Grafana images on icr. Currently, the ICR vulnerability manager shows these images as having 0 security issues. With that said, I am aware that most (with few exceptions) versions of Grafana < 10.2.2
are deemed to be insecure when referencing the link attached to this issue.
I have been attempting to build version 10.2.2
but have found some minor issues when resolving dependencies needed for the javascript portion of the build process - which I am currently debugging. I am hopeful to upload a working 10.2.2
version of Grafana by the end of the week.
Thank you for the update!
No problem!
Grafana version 10.2.2 is now uploaded on icr icr.io/ibmz/grafana:10.2.2
Please reference our official index for the appropriate pull string that includes the sha256 value.
Thank you to @rvdheij for the pointers - you were very helpful!
I'll close this for now, but if there are any issues with the image feel free to reopen or create a new one.
Thank you!
Software Name Grafana
Software Version 9.5.13 (to address CVE-2023-4822 with classification "high")
Software Value Beautiful popular dashboards.
Requestors Role Just verified that it builds with my Dockerfile (that I can share when necessary)
Please Note I also dropped some packages like
`curl
from the image because scanners were concerned about it. Also changed to not run as root as that's also considered bad practice.