Closed nirav-radia-sp closed 3 months ago
I encounter the same issue and committed a pr , but no one reply me https://github.com/brancz/kube-rbac-proxy/pull/282
Hi,
I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.
I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).
https://github.com/kubernetes/kubernetes/pull/121338#issue-1950840866
@changluyi, your PRs are not working.
It would be nice if you could at least check if it builds.
Should be fixed with https://github.com/brancz/kube-rbac-proxy/pull/287
Should be fixed with #287
@ibihim The CVE is pointing to otelgrpc v0.42.0 as the source of vulnerability. But we have not updated that reference in above PR. Curious how is that fixing the said issue?
Does it not? I assumed that k8s fixed it in v1.29
https://github.com/kubernetes/kubernetes/blob/master/go.mod#L68
Curious why upstream doesn't fix it...
... Anyway, I will try to bump it then by hand. It is not easy to bump the telemetry stuff. It looks like their dependencies are a "Kuddelmuddel", we would say in Germany. A mess. And it doesn't effect krp.
Should be fixed. If not, please reopen. #298
We're seeing above vulnerability in the latest (v0.16.0) version of the kube-rbac-proxy. What is the mitigation timeline for fixing this?