Need fix for CVE-2023-45288

kubernetes-csi / livenessprobe

A sidecar container that can be included in a CSI plugin pod to enable integration with Kubernetes Liveness Probe.

Apache License 2.0

72 stars 94 forks source link

Need fix for CVE-2023-45288 #261

Closed andriisoldatenko closed 10 hours ago

andriisoldatenko commented 2 months ago

If we bump go version from go1.21.5 to go1.21.10 we can solve the issue.

https://github.com/advisories/GHSA-4v7x-pqxf-cx7m

Please let me know if you need help, I can try to contribute if you accept the PR.

andriisoldatenko commented 2 months ago

@ggriffiths could you please help to understand how to bump go version? I see https://github.com/kubernetes/kubernetes/blob/master/.go-version#L1

and I see https://github.com/kubernetes-csi/livenessprobe/blob/f8c3f4353f10a58b9925a156b508db6113181e42/release-tools/prow.sh#L89

but it's unclear how to bump it correctly.

jsafrane commented 2 months ago

I think this repo will get a new go version when it gets updated to Kubernetes 1.30 libraries. I'm waiting for a new github.com/kubernetes-csi/csi-lib-utils tag and then we will update all CSI sidecars.

andriisoldatenko commented 2 months ago

@jsafrane thanks!

jwstein3400 commented 2 months ago

@jsafrane Hi it appears that a new tag was released last week: https://github.com/kubernetes-csi/csi-lib-utils/releases/tag/v0.18.0 Does that mean we can expect to see all the CSI sidecars uplifted and tagged for release?

andriisoldatenko commented 1 month ago

Problem that new release doesn't exist in registry:

Trying to pull registry.k8s.io/sig-storage/livenessprobe:v2.13.0...
Error: initializing source docker://registry.k8s.io/sig-storage/livenessprobe:v2.13.0: reading manifest v2.13.0 in registry.k8s.io/sig-storage/livenessprobe: manifest unknown: Failed to fetch "v2.13.0"

cc @jsafrane

jsafrane commented 1 month ago

Windows image build fails because of https://github.com/microsoft/Windows-Containers/issues/493 :-( We need fixed Windows base images to get a final 2.13 build of all images.

andriisoldatenko commented 1 week ago

@jsafrane it seems related ticket has been resolved https://github.com/microsoft/Windows-Containers/issues/493,

Could you please check why I still can't pull an image?

Trying to pull registry.k8s.io/sig-storage/livenessprobe:v2.13.0... Error: initializing source docker://registry.k8s.io/sig-storage/livenessprobe:v2.13.0: reading manifest v2.13.0 in registry.k8s.io/sig-storage/livenessprobe: manifest unknown: Failed to fetch "v2.13.0"

jsafrane commented 4 days ago

I published livenessprobe:v2.13.1 this week, I am not able to re-build and re-publish v2.13.0 :-(

andriisoldatenko commented 10 hours ago

I think issue was resolved so I close it because image is avaialble.

thanks a lot for you help @jsafrane