Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import Automation: Zero day vulnerability force upgrade libwebp version #969

Closed

Conversation

jehangiramjad
Copy link
Contributor

We continue to be notified that the Docker images are still using libwebp 1.2.4-0.2. Trying with a force version upgrade.

Copy link
Contributor

@shifucun shifucun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this link, you can see each docker image and it's vul details. Looks like the most recent one does not reduce it.

https://pantheon.corp.google.com/gcr/images/datcom-ci/global/datacommons-import-automation-executor?mods=-monitoring_api_staging

Also if you click into the most recent one, looks like there are no fixes for the found issues. So maybe double check the reported vul and the one listed here.

@shifucun
Copy link
Contributor

In this link, you can see each docker image and it's vul details. Looks like the most recent one does not reduce it.

https://pantheon.corp.google.com/gcr/images/datcom-ci/global/datacommons-import-automation-executor?mods=-monitoring_api_staging

Also if you click into the most recent one, looks like there are no fixes for the found issues. So maybe double check the reported vul and the one listed here.

Note the reopened one in b/320239641 refers to an old docker image (which i think is still in deployment in gke). So the latest one should be ok.

@jehangiramjad
Copy link
Contributor Author

Ok interesting. Perhaps the vulnerability checking internally on prod (which is what's opening the bug) is not getting refreshed. I have now deleted and then redeployed GKE and the latest docker image is associated with the newest commit after yesterday's PR submission. So that should (in theory) mean that the old image being referenced in the bug is no longer being used anywhere. Let me try to "fix" the bug again and see what happens.

@jehangiramjad
Copy link
Contributor Author

Looks like this isn't needed and that the vulnerability reported is now gone.

@jehangiramjad jehangiramjad deleted the import-automation3 branch January 25, 2024 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants