Open paulgmiller opened 5 days ago
https://github.com/projectcalico/calico/pull/8975 is my naive attempt to address.
Found another CVE in 3.26 with a newer version of trivy so also attached a pr for that
@Behnam-Shobiri Thoughts on this?
Since 3.26 is out of support, we do not track the CVEs. We encourage everyone to stay on the latest 2 minor versions (the latest patch of them).
trivy image --ignore-unfixed --severity=HIGH,CRITICAL docker.io/calico/node:v3.26.4 (Also same for mcr.microsoft.com/oss/calico/node:v3.26.4-c06a60 which is a slightly later commit)
Expected Behavior
No critical cves in supported releases.
Current Behavior
k8s.io/kubernetes exposes cve https://avd.aquasec.com/nvd/2023/cve-2023-5528/
Possible Solution
Should be fixable with a go mod upgrade to 1.26.11 (can try and make a pr)
Steps to Reproduce (for bugs)
See trivy link at top
Context
AKS still deploys 3.26 calico (and will for a while) so custoemrs are concerned.
Your Environment