[Vulnerabilities] current version of nginx-ingress-controller v1.10.1 has many vulnerabilties

[abhilashaSingh4042]

1. Alpine Linux Security Update for libxml2: solution
2. GO (Go) Security Update for golang.org/x/net/http2 (GHSA-4v7x-pqxf-cx7m): solution
3. Alpine Linux 3.19 Security Update for openssl : solution
4. Alpine Linux Security Update for busybox: solution

[longwuyuan]

The x/net and the openssl will get patched in the next release of the ingress-nginx controller

[abhilashaSingh4042]

@longwuyuan when can we expect next release?

[longwuyuan]

Maintainers will start working on it next week

[moazrefat]

@longwuyuan ingress controller v1.10.1 is using 1.25.3 which is end of life, when we we expect new version with v1.26 or v1.27 ? https://endoflife.date/nginx

[longwuyuan]

The controller does NOT use NGINX in the way that people would assume.

The controller uses OpenResty and hence the version of Nginx visible is what is bundled with the version of OpenResty used.

Tons of patches are backported and nginx itself is compiled from src. So the EOL you are talking about seems relevant but is acceptable.

[strongjz]

@abhilashaSingh4042, all of these will be updated in a patch release. This month has been difficult. We have a maintainer stepping down, and I, primarily responsible for releases, was out on vacation for most of the month. We will get back into our regular patching soon. Please be patient. There is a lot of work on and very few people contributing.

/assign @strongjz /triage accepted /priority important-soon

[yehiyam]

Hi @strongjz Any update on the next patch release? Also, anything I can do to help? Any "easy" issues I can tackle?

[Shreya2810]

@strongjz ingress controller v1.10.1 is using 1.25.3 which is end of life, when we expect new version with v1.26 or v1.27 ?

[scottstout]

@strongjz is there an ETA on this? Are you even able to resolve this issue without a new release from OpenResty?

[longwuyuan]

@scottstout Please look at the list of PRs merged yesterday and opened yesterday. The wok to release the next version is underway. This involved rebuilding images with updated libraries and so the patches/fixes released by upstream alpine and others get applied to the new release.

Nginx version is not binaries downloaded but patched builds so we are good on Nginx version. Several of those Nginx CVEs related to vanilla nginx and not a Openresty related component that is built from src.

[strongjz]

We're onboarding a new maintainer who has never done a release before, one stepped down last month, and I was out sick for a week after my vacation and had other work arrangements that required my time. We are trying our best to get this out. When we kick a build of nginx it takes an hour or so, if it fails, we have to spend time understanding why it failed, and which new component caused the failure. That all takes a considerable amount of time.

Please be patient with us, there are a lot of constraints and we are trying our best.

• nginx update https://github.com/kubernetes/ingress-nginx/pull/11542
• ssl patches https://github.com/kubernetes/ingress-nginx/pull/11535
• Alpine 3.20 https://github.com/kubernetes/ingress-nginx/pull/11428

All of these will be in the 1.11 release, the goal is this week.

[strongjz]

The build failed last night https://github.com/kubernetes/ingress-nginx/actions/runs/9765301748/job/26961062322#step:6:2097

We have to ensure that the CI passes for 4 versions of Kubernetes, on helm and with our 3 deployments, normal, chroot, with validations enabled. All of those have to pass for a new image to be promoted.