We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What happened:
The recent trivy scan showed there are some CRITICAL and HIGH severity vulnerabilities in v6.3.4.
registry.k8s.io/sig-storage/csi-snapshotter:v6.3.4 (debian 11.9) ================================================================ Total: 0 (HIGH: 0, CRITICAL: 0) csi-snapshotter (gobinary) ========================== Total: 5 (HIGH: 4, CRITICAL: 1) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.20.5 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │ │ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-39325 │ HIGH │ │ │ 1.20.10, 1.21.3 │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │ │ │ │ │ │ │ │ prefix as... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45288 │ │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │ │ │ │ │ │ │ │ which contains deeply nested structures... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
It seems some had been fixed in newer major versions. However, we cannot update to the major versions due to potential breaking changes mentioned in https://kubernetes-csi.github.io/docs/project-policies.html#versioning.
What is the supporting period for the minor versions? And could we have those CVE issues fixed?
What you expected to happen:
The CVE issues should be handled with the minor/patch release.
How to reproduce it:
Anything else we need to know?:
Environment:
kubectl version
uname -a
The text was updated successfully, but these errors were encountered:
No branches or pull requests
What happened:
The recent trivy scan showed there are some CRITICAL and HIGH severity vulnerabilities in v6.3.4.
It seems some had been fixed in newer major versions. However, we cannot update to the major versions due to potential breaking changes mentioned in https://kubernetes-csi.github.io/docs/project-policies.html#versioning.
What is the supporting period for the minor versions? And could we have those CVE issues fixed?
What you expected to happen:
The CVE issues should be handled with the minor/patch release.
How to reproduce it:
Anything else we need to know?:
Environment:
kubectl version
):uname -a
):The text was updated successfully, but these errors were encountered: