build(deps): Bump python from 3.11.3-alpine3.16 to 3.11.4-alpine3.18

arukiidou commented 1 year ago

Bump python from 3.11.3-alpine3.16 to 3.11.4-alpine3.18

dbluxo commented 1 year ago

This would also fix CVE-2023-2650 & CVE-2023-29491:

python:3.11.3-alpine3.16 (alpine 3.16.5)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                            │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1          │ CVE-2023-2650  │ HIGH     │ 1.1.1t-r2         │ 1.1.1u-r0        │ Possible DoS translating ASN.1 object identifiers           │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-2650                   │
├───────────────────────┤                │          │                   │                  │                                                             │
│ libssl1.1             │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┼────────────────┤          ├───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ ncurses-libs          │ CVE-2023-29491 │          │ 6.3_p20220521-r0  │ 6.3_p20220521-r1 │ Local users can trigger security-relevant memory corruption │
│                       │                │          │                   │                  │ via malformed data                                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-29491                  │
├───────────────────────┤                │          │                   │                  │                                                             │
│ ncurses-terminfo-base │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
└───────────────────────┴────────────────┴──────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘

python:3.11.4-alpine3.18 (alpine 3.18.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

dbluxo commented 1 year ago

cc https://github.com/kiwigrid/k8s-sidecar/issues/273

dbluxo commented 1 year ago

@jekkel Could you have a look?

kiwigrid / k8s-sidecar

build(deps): Bump python from 3.11.3-alpine3.16 to 3.11.4-alpine3.18 #293