CVE-2023-5043 and CVE-2023-5044 missing from official list of vulnerabilities

[sftim]

Per https://github.com/kubernetes/website/issues/45576, the official CVE feed at https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ doesn't have entries for:

• CVE-2023-5043
• CVE-2023-5044

I am not sure if we want to narrow the scope of the feed, fix the missing issues, or change our processes to ensure all announced vulnerabilities show up in the feed.

However, this issue is about taking a step to add those entries into the upstream feed. Doing that should close issue https://github.com/kubernetes/website/issues/45576.

/sig security /committee security-response

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[sftim]

/transfer kubernetes

[ritazh]

Seems the issues were created in their respective repos. But are missing from the official k8s CVE feed probably because there were no corresponding issues created in k/k with the official-cve-feed label. https://github.com/kubernetes/kubernetes/issues/126816 https://github.com/kubernetes/kubernetes/issues/126817

We have had to create issues in both the sub project and k/k in the past. e.g. https://github.com/kubernetes/kubernetes/issues/118419

@cjcullen

[PushkarJ]

@ritazh would it be acceptable for @kubernetes/security-response-committee if SIG Security Tooling Maintainers add a duplicate issue in k/k with the right label for such instances? I am tracking this as part of beta -> GA graduation so want to acknowledge that this could happen again and we would like to establish a precedent for it.

[ritazh]

@ritazh would it be acceptable for @kubernetes/security-response-committee if SIG Security Tooling Maintainers add a duplicate issue in k/k with the right label for such instances? I am tracking this as part of beta -> GA graduation so want to acknowledge that this could happen again and we would like to establish a precedent for it.

Yes please do. And feel free to tag me for review.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[cji]

FYI we are currently transferring the ingress-nginx cve github issues over to k/k and will open future ones here as well.

[cji]

We've migrated the ingress-nginx CVE issues to kubernetes/kubernetes, and these CVEs now show up in the feed. https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ I think this can be closed.

[enj]

We've migrated the ingress-nginx CVE issues to kubernetes/kubernetes, and these CVEs now show up in the feed. https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ I think this can be closed.

/close

[k8s-ci-robot]

@enj: Closing this issue.

In response to [this](https://github.com/kubernetes/kubernetes/issues/123964#issuecomment-2299420160): >> We've migrated the ingress-nginx CVE issues to kubernetes/kubernetes, and these CVEs now show up in the feed. https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ I think this can be closed. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.