CVEs found

[smuda]

Summary

When scanning for vulns there are a number of CVEs:

• github.com/containerd/containerd
  • CVE-2021-41103 (high)
  • CVE-2021-32760 (medium)
• github.com/dgrijalva/jwt-go
  • CVE-2020-26160 (high)
• github.com/miekg/dns
  • CVE-2019-19794 (medium)
• k8s.io/kubernetes
  • CVE-2020-8554 (medium)

I'd be happy to create one or more PRs for those CVE's that are fixable by simply upgrading the dependencies but it seems there are a lot of changes required.

---

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.

[smuda]

I decided to give it a go and created a PR:
#1785

I hope thats to you liking. :-)

[jessesuen]

• github.com/containerd/containerd - is now resolved with k8s update
• github.com/dgrijalva/jwt-go - needs notification-engine to update its dependency
• github.com/miekg/dns - appears to be solvable with a go get -u
• k8s.io/kubernetes - should be resolved with k8s update

We will attempt the changes needed in notification-engine to fix the jwt-go problem

[smuda]

Thank you! I had a closer look at CVE-2020-8554 and that's not currently resolvable by updates but needs an admission webhook. At least it's out of argo-rollouts hands and can be ignored.

This is what I get by running trivy for golang:

+--------------------------------------+------------------+----------+--------------------+--------------------------------------+---------------------------------------+
|               LIBRARY                | VULNERABILITY ID | SEVERITY | INSTALLED VERSION  |            FIXED VERSION             |                 TITLE                 |
+--------------------------------------+------------------+----------+--------------------+--------------------------------------+---------------------------------------+
| github.com/dgrijalva/jwt-go          | CVE-2020-26160   | HIGH     | 3.2.0+incompatible |                                      | jwt-go: access restriction            |
|                                      |                  |          |                    |                                      | bypass vulnerability                  |
|                                      |                  |          |                    |                                      | -->avd.aquasec.com/nvd/cve-2020-26160 |
+--------------------------------------+------------------+----------+--------------------+--------------------------------------+---------------------------------------+
| github.com/miekg/dns                 | CVE-2019-19794   | MEDIUM   | 1.0.14             | 1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable  |
|                                      |                  |          |                    |                                      | TXID can lead to response forgeries   |
|                                      |                  |          |                    |                                      | -->avd.aquasec.com/nvd/cve-2019-19794 |
+--------------------------------------+------------------+----------+--------------------+--------------------------------------+---------------------------------------+
| github.com/opencontainers/image-spec | GMS-2021-101     | UNKNOWN  | 1.0.1              | 1.0.2                                | Clarify `mediaType` handling          |
+--------------------------------------+------------------+----------+--------------------+--------------------------------------+---------------------------------------+
| k8s.io/kubernetes                    | CVE-2020-8554    | MEDIUM   | 1.23.1             |                                      | kubernetes: MITM using                |
|                                      |                  |          |                    |                                      | LoadBalancer or ExternalIPs           |
|                                      |                  |          |                    |                                      | -->avd.aquasec.com/nvd/cve-2020-8554  |
+--------------------------------------+------------------+----------+--------------------+--------------------------------------+---------------------------------------+

Looking at GMS-2021-101 it seems to require another update to the k8s api:

github.com/argoproj/argo-rollouts
k8s.io/[email protected] =>
github.com/google/[email protected] =>
github.com/opencontainers/[email protected]

However, the information that I could find suggests it's a documentation issue and could propably be ignored.

[smuda]

Once the low hanging CVE fruits are handled, would it be possible to to a release? That way I could make a PR to stakater/reloader which for me what this was all about.

[harikrongali]

@smuda we will be having new release next week. Changes will be part of it.

[bskidmore]

Does this release include CVE-2020-8554? If not is there an update for that fix?

[harikrongali]

it is part of 1.2.0-rc1