Closed im-bravo closed 1 year ago
I created a PR https://github.com/fluent/fluentd-docker-image/pull/362 to update to alpine:3.18
, which should contain the fixes for:
https://nvd.nist.gov/vuln/detail/CVE-2023-2975
https://nvd.nist.gov/vuln/detail/CVE-2023-3446
For the https://nvd.nist.gov/vuln/detail/CVE-2023-36617, we need to upgrade uri
to 0.12.2
(reference: https://scout.docker.com/vulnerabilities/id/CVE-2023-36617), but I don't see any gem installed that package in Dockerfile, look like it comes as a dependency.
I released v1.16.2-1.1 at fluent/fluentd to suppress these CVEs. I'll close this issue after I reflect it to https://hub.docker.com/_/fluentd
Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?
By the way, I have checked and still not seeing the new tag v1.16.2-1.1
pushed to https://hub.docker.com/_/fluentd.
Hi @ashie, thanks for fixing that! Could you please rebuild the Docker images in https://github.com/fluent/fluentd-kubernetes-daemonset as well, to patch those CVEs?
Of course we'll do it. Please wait for a while.
By the way, I have checked and still not seeing the new tag v1.16.2-1.1 pushed to https://hub.docker.com/_/fluentd.
Yes, not yet. Please wait for a while.
Hi @ashie, thanks for this https://github.com/fluent/fluentd-kubernetes-daemonset/pull/1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.
Hi @ashie, thanks for this fluent/fluentd-kubernetes-daemonset#1460, but look like some images (example v1.16.2-debian-s3-amd64-1.1) are still missing in Docker Hub.
It's a known issue: https://github.com/fluent/fluentd-kubernetes-daemonset/issues/1455 In the short term, we'll solve it by reorganizing build settings on DockerHub. In the middle term, we should resolve it by migrating deployment system to GitHub Actions: #318
fluentd-kubernetes-daemonset v1.16-debian-s3 has been also updated.
Hello Many thanks for the fluentd and fluentd docker image.
We found 2 CVE in latest docker image 1.16.0 .
https://nvd.nist.gov/vuln/detail/CVE-2023-2975 https://nvd.nist.gov/vuln/detail/CVE-2023-36617
It's looks like related to libcrypto3 and libssl3 package. Base on my scan tool, upgrade from 3.0.9-r1 to 3.0.9-r2 can fix this issue.