Closed larham closed 5 years ago
cfdreddbot
commented
5 years ago :x: Hey larham!
All pull request submitters and commit authors must have a Contributor License Agreement (CLA). Click here for details on the CLA process.
The following github users: @larham @tenczar are not covered by a CLA.
After the CLA process is complete, this pull request will need to be closed & reopened. DreddBot will then validate the CLA(s).
betarelease
commented
5 years ago Looks good learnt about $(($count+1)) ;)
cfdreddbot
commented
5 years ago :x: Hey larham!
All pull request submitters and commit authors must have a Contributor License Agreement (CLA). Click here for details on the CLA process.
The following github users: @larham @tenczar are not covered by a CLA.
After the CLA process is complete, this pull request will need to be closed & reopened. DreddBot will then validate the CLA(s).
Two deps, libevent and rpcbind, cannot be updated without pulling in changes from ubuntu "disco" distro, which is too far forward (not tested against K8s upstream)
What this PR does / why we need it:
Fix CVEs against dependencies
How can this PR be verified?
Runs correctly and the dependencies are not on the list of CVEs
Is there any change in kubo-deployment?
No
Is there any change in kubo-ci?
No
Does this affect upgrade, or is there any migration required?
No
Which issue(s) this PR fixes:
https://www.pivotaltracker.com/story/show/167631002
Release note:
PLEASE ASK PMs IF THEY WANT THE FOLLOWING IN THE RELEASE NOTES:
The following CVEs are NOT fixed in this version because patches have not been backported to Ubuntu Xenial:
libevent-2.0.21 1.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195 2.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6272 3.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196 4.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10197
rpcbind 1.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 2.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236