Getting Critical CVE-2024-24790 with v0.14.2 image for External-dns

The current external-dns:v0.14.2 image has CVE https://pkg.go.dev/vuln/GO-2024-2887

scan results for: image registry.k8s.io/external-dns/external-dns:v0.14.2 sha256:402a0659dc57e40076f18957362a842e883a30ccb39ce1c6e67bb0eaf29b549a

Vulnerabilities found for image registry.k8s.io/external-dns/external-dns:v0.14.2: total - 5, critical - 1, high - 0, medium - 2, low - 2 Vulnerability threshold check results: PASS

Image registry.k8s.io/external-dns/external-dns:v0.14.2 IDsha256:402a0659dc57e40076f18957362a842e883a30ccb39ce1c6e67bb0eaf29b549a OS distributionDistroless (based on Debian GNU/Linux 11) OS releasebullseye

go | critical | net/netip version 1.22.2 has 1 vulnerability

This can be fixed by upgrading to 1.22.4+

It looks like this was fixed in https://github.com/kubernetes-sigs/external-dns/commit/7ae7c7a21b7fa3d81160048ddea7c2e36233a8f2 However the external-dns-helm-chart-1.14.5 points to v0.14.2 that is still using go 1.22.2.

Is there a timeline on when there will be a new release for the ExternalDNS OCI image version and helm chart for these fixes? Thanks for any details!!

Discussed in https://github.com/kubernetes-sigs/external-dns/discussions/4619

^{Originally posted by **rachit-mdsol** July 17, 2024} Hey Team, We are getting Critical CVE-2024-24790 for **net/netip** package, it require version should be greater than 1.22.2. Do we any upcoming release for this above vulnerability fix. If we have please let us know we can have a note for security purpose, we will use latest release once you get it publish. Thanks.

kubernetes-sigs / external-dns

Getting Critical CVE-2024-24790 with v0.14.2 image for External-dns #4634

Discussed in https://github.com/kubernetes-sigs/external-dns/discussions/4619