CVE-2024-4323 - Provide v3.0.4 fluenbit in kubesphere/fluent-bit image

els-ipatel commented 1 month ago

Is your feature request related to a problem? Please describe.

Upstream fluent-bit have release v3.0.4 (https://github.com/fluent/fluent-bit/releases/tag/v3.0.4) to address https://nvd.nist.gov/vuln/detail/CVE-2024-4323, latest fluent-bit version in kubesphere/fluent-bit registry is 2.8.0.

To run a non-vulnerable version of fluent-bit with the fluent-operator, support for v3.0.4 is needed.

Describe the solution you'd like

Publish kubesphere/fluent-bit image with fluent-bit 3.0.4
Set the default kubesphere/fluent-bit image reference in installation manifests/helm charts to ensure those using defaults are not inadevertently spinning up vulnerable version of fluent-bit.

Additional context

No response

398264197 commented 1 month ago

没有这个镜像呀，是我操作不对嘛 registry.cn-beijing.aliyuncs.com/kubesphereio/fluent-bit:v3.0.4

els-ipatel commented 1 month ago

@benjaminhuo thanks for the review/merge, when can we expect the tagged image to be published to dockerhub? I'm guessing a release is needed on this repo for this?

fluent / fluent-operator

CVE-2024-4323 - Provide v3.0.4 fluenbit in kubesphere/fluent-bit image #1175

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Additional context