Closed phlax closed 11 months ago
cc @javabypatel
Update: Seems unrelated, created a new issue https://github.com/envoyproxy/envoy/issues/29902
I see a NACK thrown in Envoy version v1.27 (very rarely).
failureReason:Error adding/updating listener(s) egress: malformed IP address: 2600:f0f0:0:0:0:0:0:1
As per NACK Envoy couldn't validate that this is a proper IPv6 address which was provided in filter chain match like
"filter_chain_match": {
"prefix_ranges": [
{
"address_prefix": "127.255.0.1",
"prefix_len": 32
},
{
"address_prefix": "2600:f0f0:0:0:0:0:0:1",
"prefix_len": 128
}
],
I believe the IPv6 address validation is done in https://github.com/envoyproxy/envoy/blob/83e604abd8214f379617e6320d2255ea20ca0e1f/source/common/network/utility.cc#L117
Given that the CVE's report issue with getaddrinfo
function, can I expect that this issue might be related?
incoming issue here https://github.com/GoogleContainerTools/distroless/issues/1420 which is resolved by https://github.com/GoogleContainerTools/distroless/pull/1419
will update the containers when they release (i would expect today)
i have updated the distroless base to latest and have pending backports for it - but just saw ...
https://github.com/GoogleContainerTools/distroless/issues/1422
I think this is actually fine. The latest distroless/base should not have the high critical cve on libc6.
FYI though, we have distroless/base-nossl-debian12
now which I would recommend over debian11 if that works with your builds.
FYI though, we have
distroless/base-nossl-debian12
now which I would recommend over debian11 if that works with your builds.
It would be good to bump to this newer Debian 12 version :+1:
It would be good to bump to this newer Debian 12 version 👍
my thought had been to wait until this batch of releases is out of the way, altho tbh i dont see any reason we cant upgrade now
looks like we've released new versions. wonder why the CVEs were not mentioned in the release notes.
they were alluded to - as these were upstream vulns i thought it less important to list out any issues that were resolved
docker/publishing: Update base images to resolve various glibc vulnerabilities.
https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.27/v1.27.1
and on the release pages
altho just spotted this is missing from the (pending) current changelog
main
changelog update is here https://github.com/envoyproxy/envoy/pull/30144
ah we're still on 1.26. didn't see it on https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.26/v1.26.5. thanks @phlax
i think it got missed on that branch - trying to improve these workflows atm
(just to clarify - just the changelog was missed)
@javabypatel you can see the current versions that are being used by checking the pins in the Dockerfilie - eg on main
https://github.com/envoyproxy/envoy/blob/main/ci/Dockerfile-envoy
i try to keep these in sync across all branches
in terms of outstanding CVEs these are generally the latest available upstream so incorporate anything currently actionable
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
There are 3 recent CVEs that appear to affect the glibc version in our Docker containers
I confirmed that our current distroless containers are vulnerable - its likely the case also with the Ubuntu containers (will confirm)
debian/ubuntu refs:
4527 appears to be medium severity and is yet to be confirmed
4813 has fixes for distroless at least - which is already on
main
- i have raised/updated backports for other branchesif the fix is there for ubuntu that will automatically get updated on next release/s