data-dude
commented
7 months ago @manikantanallagatla How did you get v0.11.2? Did you find the docker image somewhere? Or did you build it yourself?
Open manikantanallagatla opened 9 months ago
data-dude
commented
7 months ago @manikantanallagatla How did you get v0.11.2? Did you find the docker image somewhere? Or did you build it yourself?
dashpole
commented
7 months ago /assign @rexagod /triage accpeted
@rexagod will check to see if we are actually impacted by the vulnerabilities
k8s-ci-robot
commented
7 months ago @dashpole: The label(s) triage/accpeted cannot be applied, because the repository doesn't have them.
dashpole
commented
7 months ago /triage accepted
sumitgupta21
commented
5 months ago We have also scanned the prom-adapter v0.11.2 image with ORCA and it found some more CVEs as mentioned below
| CVE | Package |
|---|---|
| CVE-2023-47108 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc |
| CVE-2023-45142 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp |
| CVE-2023-39325 | golang.org/x/net |
| CVE-2023-44487 | golang.org/x/net |
| CVE-2023-44487 | google.golang.org/grpc |
| CVE-2023-48795 | golang.org/x/crypto |
| CVE-2023-3978 | golang.org/x/net |
It would be good to get them patched as soon as possible.
What happened?: Hi,
Can anyone provide any expected date for the security upgrades of following dependent packages in Prometheus adapter: https://github.com/advisories/GHSA-rcjv-mgp8-qvmr https://github.com/advisories/GHSA-2wrh-6pvc-2jm9 https://github.com/advisories/GHSA-4374-p667-p6c8 https://github.com/advisories/GHSA-qppj-fm5r-hxr3
What did you expect to happen?: We expected these fixes in v 0.11.2.
Please provide the prometheus-adapter config: V0.11.2 does not have these fixes.
Please provide the HPA resource used for autoscaling: NA
Please provide the HPA status: NA
Please provide the prometheus-adapter logs with -v=6 around the time the issue happened: NA
Anything else we need to know?:
Environment:
kubectl version):