CVE's reported in promtail 3.1.1 image

[toffiebotha]

Is your feature request related to a problem? Please describe. The latest tag, 3.1.1 of promtail contains the following vulnerabilities as reported by Azure Defender and Docker Scout which are not mentioned in any other gh issues:

CVE ID	SEVERITY	VULNERABLE PACKAGE NAME	INSTALLED VERSION	FIXED IN VERSION
CVE-2024-41110	Critical	github.com/docker/docker	25.0.3.0	25.0.6
CVE-2024-4741	High	openssl	3.0.13-1~deb12u1	3.0.14-1~deb12u1
CVE-2024-6119	Medium	openssl	3.0.13-1~deb12u1	3.0.14-1~deb12u2
CVE-2024-4603	Low	openssl	3.0.13-1~deb12u1	3.0.14-1~deb12u1

Describe the solution you'd like Update dependencies to the latest versions to remediate the vulnerabilities.

Describe alternatives you've considered Considered using a tool like Copacetic to patch the OS packages like openssl and using it as a custom image, but it would not solve the docker dependency and could result in instability.

Additional context Image also contains CVE-2024-29018, CVE-2024-28834, CVE-2024-28835 and CVE-2024-2511 already mentioned in https://github.com/grafana/loki/issues/838

[toffiebotha]

I've inspected the latest 3.3.0 image of promtail and found all of these vulnerabilities have been addressed. Thanks for the updates!!

I don't see an updated published promtail helm chart that sets the app version to 3.3.0. I'm assuming it would be safe enough to override the 6.16.6 chart's tag to point to 3.3.0

Can anyone please confirm?