[Bug]: CVEs of milvus-etcd

milvus-io / milvus

A cloud-native vector database, storage for next generation AI applications

https://milvus.io

Apache License 2.0

29.27k stars 2.81k forks source link

Open weiZhenkun opened 1 month ago

weiZhenkun commented 1 month ago

- Milvus version: 2.4.5

Can we update to the latest version of milvus-etcd?

Image	Total	CRITICAL&HIGH	CVE detail
docker.io/milvusdb/etcd:3.5.5-r4	203	54	(UNKNOWN: 0, LOW: 78, MEDIUM: 74, HIGH: 49, CRITICAL: 2)
docker.io/bitnami/etcd:3.5.14	91	4	(UNKNOWN: 0, LOW: 66, MEDIUM: 20, HIGH: 4, CRITICAL: 1)

No response

No response

No response

No response

yanliang567 commented 1 month ago

/assign @LoveEachDay I think we has some plans for this, please help to share more info /unassign

weiZhenkun commented 1 month ago

@LoveEachDay please share the info, thanks.

LoveEachDay commented 1 month ago

@weiZhenkun We are testing etcd 3.5.14 inhouse, and will release alongside the next milvus upgrade if everything is ok.

weiZhenkun commented 1 month ago

@LoveEachDay Can we also upgrade the base image from Debian 11 to Debian 12?

Debian's fixes for Debian 11 are not very timely, and there are still many CVEs. Debian 12 (bookworm) has fewer CVEs now and the CVEs of it will be fixed relatively timely.
Debian 11 will not fullly support on August 14th, 2024.

xiaofan-luan commented 1 month ago

we are targeting to upgrade etcd to 3.5.14 in 2.4.7 right? @LoveEachDay