FabianKramm
commented
1 year ago Hey @kirkpabk ! Thanks for creating this issue and the nice words! Seems like these issues come mostly from the base image, unfortunately we are running quite low on capacity right now, if you have the spare time, would be great if you could work on a PR for this.
Great product, by the way!! Your team has been doing AMAZING work to remediate so many issues with the 0.2.1 release. GREAT JOB!!
So, we're trying to get validation of the product within our environment and are running into issues with these:
Vulnerability ID Package Severity Fix Vulnerability URL CVE-2018-25076 events-3.3.0 Critical None https://nvd.nist.gov/vuln/detail/CVE-2018-25076 CVE-2022-43604 opener-1.5.2 Critical None https://nvd.nist.gov/vuln/detail/CVE-2022-43604 CVE-2022-43605 opener-1.5.2 Critical None https://nvd.nist.gov/vuln/detail/CVE-2022-43605 CVE-2022-21698 github.com/prometheus/client_golang-v1.11.0 High None https://nvd.nist.gov/vuln/detail/CVE-2022-21698 CVE-2022-43606 opener-1.5.2 High None https://nvd.nist.gov/vuln/detail/CVE-2022-43606 CVE-2023-0361 libgnutls30-3.6.7-4+deb10u9 High 3.6.7-4+deb10u10 https://security-tracker.debian.org/tracker/CVE-2023-0361 CVE-2023-26604 libsystemd0-241-7\~deb10u8 High None https://security-tracker.debian.org/tracker/CVE-2023-26604 CVE-2011-3389 libgnutls30-3.6.7-4+deb10u9 Medium None https://security-tracker.debian.org/tracker/CVE-2011-3389
Particularly the one with a fix (CVE-202300361).
My question--are there any recommendations on temporary "fixes" or "controls" until a new release is available?