search

stakater / Reloader

A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!
https://docs.stakater.com/reloader/
Apache License 2.0
7.47k stars 498 forks source link

bump go from 1.21.6 -> 1.21.9 #673

Closed antoinerg closed 4 months ago

antoinerg commented 4 months ago

Resolves several CVEs.

Prior to this change:

ghcr.io/stakater/reloader:v1.0.101 (debian 12.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

manager (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.6            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│         ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│         │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│         │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│         │                │          │        │                   │                │ unknown public key algorithm...                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│         │                │          │        │                   │                │ handled                                                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│         │                │          │        │                   │                │ methods may break template escaping                         │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

Following this change, trivy reports zero CVE :tada:

github-actions[bot] commented 4 months ago

@antoinerg Images are available for testing. docker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-673-7b088bed\ndocker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-673-UBI-7b088bed

antoinerg commented 4 months ago

@antoinerg Images are available for testing. docker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-673-7b088bed\ndocker pull ghcr.io/stakater/reloader:SNAPSHOT-PR-673-UBI-7b088bed

➜  ~ docker run -it aquasec/trivy:latest image ghcr.io/stakater/reloader:SNAPSHOT-PR-673-7b088bed
2024-05-30T21:48:12Z    INFO    Need to update DB
2024-05-30T21:48:12Z    INFO    Downloading DB...   repository="ghcr.io/aquasecurity/trivy-db:2"
47.48 MiB / 47.48 MiB [------------------------------------------------------------------------------------------------] 100.00% 43.00 MiB p/s 1.3s
2024-05-30T21:48:14Z    INFO    Vulnerability scanning is enabled
2024-05-30T21:48:14Z    INFO    Secret scanning is enabled
2024-05-30T21:48:14Z    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-30T21:48:14Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-30T21:48:14Z    INFO    Detected OS family="debian" version="12.5"
2024-05-30T21:48:14Z    INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=3
2024-05-30T21:48:14Z    INFO    Number of language-specific files   num=1
2024-05-30T21:48:14Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/stakater/reloader:SNAPSHOT-PR-673-7b088bed (debian 12.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Sweet! :tada:

antoinerg commented 4 months ago

Here's another PR for your consideration @MuneebAijaz! Thank you very much :bow:

antoinerg commented 4 months ago

Note that the CVEs above still affect v1.0.103 so this PR is still pertinent.

MuneebAijaz commented 4 months ago

Thank you for your contribution @antoinerg and sorry for the delay.