search

kubernetes / git-sync

A sidecar app which clones a git repo and keeps it in sync with the upstream.
Apache License 2.0
2.13k stars 406 forks source link

High vulnerability CVE-2023-6246 and CVE-2023-6779 #860

Closed yarongol closed 4 months ago

yarongol commented 5 months ago

Can you please relate/help fix the following new vulnerability? Thanks

trivy image registry.k8s.io/git-sync/git-sync:v4.2.0 --severity HIGH,CRITICAL --ignore-unfixed 2024-02-05T07:08:47.078+0200 INFO Vulnerability scanning is enabled ......

registry.k8s.io/git-sync/git-sync:v4.2.0 (debian 12.4)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2023-6246 │ HIGH │ fixed │ 2.36-9+deb12u3 │ 2.36-9+deb12u4 │ glibc: heap-based buffer overflow in __vsyslog_internal() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6246 │ │ ├───────────────┤ │ │ │ ├───────────────────────────────────────────────────────────┤ │ │ CVE-2023-6779 │ │ │ │ │ glibc: off-by-one heap-based buffer overflow in │ │ │ │ │ │ │ │ __vsyslog_internal() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6779 │ └─────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

thockin commented 4 months ago

https://github.com/kubernetes/git-sync/releases/tag/v4.2.1