Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump base image #1470

Merged
merged 1 commit into from
Dec 2, 2024
Merged

Bump base image #1470

merged 1 commit into from
Dec 2, 2024

Conversation

kylos101
Copy link
Collaborator

@kylos101 kylos101 commented Dec 2, 2024
edited
Loading

Description

This should fix:

│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ linux-libc-dev │ CVE-2024-26800 │ HIGH     │ fixed  │ 5.15.0-124.134    │ 5.15.0-125.135 │ kernel: tls: fix use-after-free on failed backlog decryption │
│                │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-26800                   │
│                ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2024-43882 │          │        │                   │                │ kernel: exec: Fix ToCToU between perm check and set-uid/gid  │
│                │                │          │        │                   │                │ usage                                                        │
│                │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-43882

We still have a vulnerability with docker compose, but, need to update gitpod-io/buildkit#1 before we can update docker compose here.

Related Issue(s)

Related to CLC-306

How to test

This vulnerability should no longer appear when the scan is done

Documentation

/hold

@kylos101
Bump base image
fc0f803 
This fixes:
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ linux-libc-dev │ CVE-2024-26800 │ HIGH     │ fixed  │ 5.15.0-124.134    │ 5.15.0-125.135 │ kernel: tls: fix use-after-free on failed backlog decryption │
│                │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-26800                   │
│                ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2024-43882 │          │        │                   │                │ kernel: exec: Fix ToCToU between perm check and set-uid/gid  │
│                │                │          │        │                   │                │ usage                                                        │
│                │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-43882
@kylos101 kylos101 requested review from a team as code owners December 2, 2024 15:08
filiptronicek
filiptronicek approved these changes Dec 2, 2024
View reviewed changes
Copy link
Member

@filiptronicek filiptronicek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kylos101 kylos101 enabled auto-merge (squash) December 2, 2024 16:25
@kylos101
Copy link
Collaborator Author

kylos101 commented Dec 2, 2024

Enabled auto merge, good luck branch PR build!

@kylos101 kylos101 merged commit da8ccef into main Dec 2, 2024
4 checks passed
@kylos101 kylos101 deleted the kylos101/clc-306 branch December 2, 2024 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@filiptronicek filiptronicek filiptronicek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kylos101 @filiptronicek