v2.11.0 showing High vulnerability CVE-2023-44487

kubernetes-csi / livenessprobe

A sidecar container that can be included in a CSI plugin pod to enable integration with Kubernetes Liveness Probe.

Apache License 2.0

74 stars 98 forks source link

v2.11.0 showing High vulnerability CVE-2023-44487 #222

Closed mitchellmaler closed 8 months ago

mitchellmaler commented 11 months ago

Hello, our security tooling is showing the latest version has CVE-2023-44487. This requires upgrading Golang to a later patch version to pull in the latest net package. Screenshot 2023-10-27 at 9 23 50 AM

coltonfreeman26 commented 10 months ago

Good day all, Figured I would comment here instead of opening a new issue. We are also using the 2.11.0 release and our scan tools (Anchore and Twistlock) have found multiple CVEs in regards to the golang version being used 1.20.5 (all of which will be resolved with 1.20.10)

CVE-2023-29406 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39323 CVE-2023-39325

Please let me k now if you have any questions.

jsafrane commented 8 months ago

This has been fixed in v2.12.0

jsafrane commented 8 months ago

/close

k8s-ci-robot commented 8 months ago

@jsafrane: Closing this issue.

In response to [this](https://github.com/kubernetes-csi/livenessprobe/issues/222#issuecomment-1916959070): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.