Closed shrikant-rajappan closed 8 months ago
hi @shrikant-rajappan!
The latest jaeger-operator docker image is based on CentOS Stream and includes the following ncurses version:
$ docker run -it --entrypoint bash quay.io/jaegertracing/jaeger-operator:1.51.0
bash-5.1$ rpm -qa | grep ncurses
ncurses-base-6.2-10.20210508.el9.noarch
ncurses-libs-6.2-10.20210508.el9.x86_64
The changelog of this package describes that the CVE-2023-29491 is fixed in this release (by backporting): https://cbs.centos.org/koji/buildinfo?buildID=51542
tl;dr the jaeger-operator image is not affected by this CVE.
What happened?
Please take cognisance of CVE-2023-29491 and solution a fix in quay.io/jaegertracing/jaeger-operator
Steps to reproduce
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491
Expected behavior
Since this issue is being opened as part of fix for ncurses library - an updated/upgraded version of the jaeger-operator is expected.
Relevant log output
No response
Screenshot
No response
Additional context
No response
Jaeger backend version
No response
SDK
No response
Pipeline
No response
Stogage backend
No response
Operating system
No response
Deployment model
No response
Deployment configs
No response