Bump helm charts sidecars versions to resolve CVEs

kubernetes-sigs / aws-ebs-csi-driver

CSI driver for Amazon EBS https://aws.amazon.com/ebs/

Apache License 2.0

974 stars 787 forks source link

Bump helm charts sidecars versions to resolve CVEs #2054

Closed yash-acquia closed 3 months ago

yash-acquia commented 3 months ago

/kind bug

What happened? A scan detected the following CVEs: CVE-2023-45288

What you expected to happen? Update sidecar versions in the helm chart:

livenessProbe: v2.13.0
nodeDriverRegistrar : v2.11.0
csiProvisioner: v5.0.1
csiAttacher: v4.6.1
csiResizer: v1.11.1

updating above sidecars will fix CVE-2023-45288

Vulnerability_id	Package Name	Vulnerable Version	Fixed Version	Type
CVE-2023-45288	golang.org/x/net	v0.18.0	v0.23.0	gobinary

Environment

Driver version: v1.30.0

ConnorJC3 commented 3 months ago

We regularly bump the sidecars (and other dependencies) of the EBS CSI Driver during our monthly release. Because this is only a medium-severity CVE, and there is no reason to believe or evidence it is exploitable under normal conditions, we will not be doing an out of band release for CVE-2023-45288 at this time.

If you wish to bump the sidecar versions yourself, the chart includes the ability to customize the tag and repository of the sidecar containers.

torredil commented 3 months ago

This issue has been addressed in driver release v1.32.0 /close

k8s-ci-robot commented 3 months ago

@torredil: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/2054#issuecomment-2200128001): >This issue has been addressed in driver release `v1.32.0` >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.