Address CVE-2024-41110 - Githubissues

buildpacks-community / kpack

Kubernetes Native Container Build Service

Apache License 2.0

946 stars 162 forks source link

Address CVE-2024-41110 #1728

Open BRONSOLO opened 1 week ago

BRONSOLO commented 1 week ago

An upgrade of the Docker Golang package is needed to address: https://github.com/advisories/GHSA-v23v-6jw2-98fq

pkg	current	fixed
github.com/docker/docker	v25.0.5+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6
github.com/docker/docker	v25.0.5+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6

diarmuidie commented 1 day ago

This was fixed in lifecycle v0.20.1 (kpack currently uses v0.17.2) but they noted that it is "Non-impactful as the lifecycle uses only the docker client library" : https://github.com/buildpacks/lifecycle/issues/1391#issuecomment-2286941393

BRONSOLO commented 1 day ago

Thanks @diarmuidie! Is the lifecycle dependency the only source of the github.com/docker/docker import? In other words, could we safely assume all images built for the kpack project that report this vulnerability are not impacted because the reported vulnerability is stemming from the lifecycle dependency, which uses only the docker client library?

tomkennedy513 commented 1 day ago

ya this appears to only affect docker engine itself, so we should be okay

BRONSOLO commented 1 day ago

Thanks @tomkennedy513. I suspect we can close this ticket out in that case (or leave it open until the lifecycle upgrade is applied).