Open DreyfussDaena opened 2 months ago
All Glibc vulnerabilites are unfixable on 1.16-alpine variants as alpine's musl to glibc linker doesnt support newer glibc.
The other one vulnerabilites should be handled in our upcoming 1.16.12 enterprise release
Gloo Edge Product
Enterprise
Gloo Edge Version
gloo-ee 1.16.11-alpine (gloo 1.16.16)
Kubernetes Version
v1.28.6
Describe the bug
CVE-2024-5535(BDSA-2024-4055) 9.1 from openssl 3.0.13-r0
CVE-2024-24791(BDSA-2024-4102) 7.5 from golang-runtime 1.21.9
CVE-2024-33602(BDSA-2024-2058) 8.6 from glibc2.34-r0
CVE-2024-33601(BDSA-2024-2060) 7.5 from glibc2.34-r0
CVE-2024-2961(BDSA-2024-1765) 7.3 from glibc2.34-r0
CVE-2024-2398(BDSA-2024-0743) 8.6 from curl8.5.0-r0
Expected Behavior
These vulnerabilities should be resolved asap as they are high and could cause potential security issues.
Steps to reproduce the bug
These vulnerabilities came up on a BlackDuck scan while scanning the gloo images.
Additional Environment Detail
No response
Additional Context
No response