changluyi
commented
6 months ago I encounter the same issue and committed a pr , but no one reply me https://github.com/brancz/kube-rbac-proxy/pull/282
Closed nirav-radia-sp closed 3 months ago
changluyi
commented
6 months ago I encounter the same issue and committed a pr , but no one reply me https://github.com/brancz/kube-rbac-proxy/pull/282
ibihim
commented
6 months ago Hi,
I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.
I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).
https://github.com/kubernetes/kubernetes/pull/121338#issue-1950840866
ibihim
commented
6 months ago @changluyi, your PRs are not working.
It would be nice if you could at least check if it builds.
ibihim
commented
5 months ago Should be fixed with https://github.com/brancz/kube-rbac-proxy/pull/287
nirav-radia-sp
commented
5 months ago Should be fixed with #287
@ibihim The CVE is pointing to otelgrpc v0.42.0 as the source of vulnerability. But we have not updated that reference in above PR. Curious how is that fixing the said issue?
ibihim
commented
5 months ago Does it not? I assumed that k8s fixed it in v1.29
https://github.com/kubernetes/kubernetes/blob/master/go.mod#L68
Curious why upstream doesn't fix it...
... Anyway, I will try to bump it then by hand. It is not easy to bump the telemetry stuff. It looks like their dependencies are a "Kuddelmuddel", we would say in Germany. A mess. And it doesn't effect krp.
ibihim
commented
3 months ago Should be fixed. If not, please reopen. #298
We're seeing above vulnerability in the latest (v0.16.0) version of the kube-rbac-proxy. What is the mitigation timeline for fixing this?