Fix code scanning alert - CVE-2024-24791 / CVE-2022-30635 / CVE-2024-34155 / CVE-2024-34156 / CVE-2024-34158 - Githubissues

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

https://github.com/moby/moby/issues/34227

Apache License 2.0

8.25k stars 1.17k forks source link

Fix code scanning alert - CVE-2024-24791 / CVE-2022-30635 / CVE-2024-34155 / CVE-2024-34156 / CVE-2024-34158 #5232

Open crazy-max opened 3 months ago

crazy-max commented 3 months ago

Tracking issue for:

Relates to upstream cni project https://github.com/moby/buildkit/blob/148c80ba931d0bf02a0cdb7c56a58363a475daff/Dockerfile#L9

Looking at their release workflow: https://github.com/containernetworking/plugins/blob/acf8ddc8e1128e6f68a34f7fe91122afeb1fa93d/.github/workflows/release.yaml#L19 a new release would fix it.

antemasqued commented 2 months ago

looks like the current release is also affected by CVE 2024-24790. Please bump the golang version as well 🙏🏼.

https://github.com/golang/go/issues/67680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790