v2.6.1 is affected by CVE-2022-32149 #249
Comments
|
Thanks for raising this issue, we could do that or sync master's go.mod https://github.com/kubernetes-csi/node-driver-registrar/blob/master/go.mod#L42 to release-2.6 |
|
The problem is that the node-driver-registrar master branch has transitive dependencies on
|
|
I see, yes the replace sounds good, you could create a PR against master and then use https://github.com/kubernetes/kubernetes/blob/master/hack/cherry_pick_pull.sh to cherrypick it to release-2.6 |
|
This is fixed by #243 |
|
Thank you for merging the MR @msau42 . Is is possible to release 2.6.3 so container without discovered vulns is available? |
|
/assign @knopt Thanks for the updates in the branches to fix vuln issues. Yes, I'll create a release for v2.6.2 (for kubernetes 1.25) and also v2.7.0 (new release branch from master for kubernetes 1.26) |
dc4d0ae2 Merge pull request kubernetes-csi#249 from jsafrane/use-go-version e681b170 Use .go-version to get Kubernetes go version git-subtree-dir: release-tools git-subtree-split: dc4d0ae20a3dcce17fbfc745fb1f1e3b10cd9644
dc4d0ae2 Merge pull request kubernetes-csi#249 from jsafrane/use-go-version e681b170 Use .go-version to get Kubernetes go version b54c1ba4 Merge pull request kubernetes-csi#246 from xing-yang/go_1.21 5436c81e Change go version to 1.21.5 267b40e9 Merge pull request kubernetes-csi#244 from carlory/sig-storage b42e5a2d nominate self (carlory) as kubernetes-csi reviewer a17f536f Merge pull request kubernetes-csi#210 from sunnylovestiramisu/sidecar 011033de Use set -x instead of die 5deaf667 Add wrapper script for sidecar release f8c8cc4c Merge pull request kubernetes-csi#237 from msau42/prow b36b5bfd Merge pull request kubernetes-csi#240 from dannawang0221/upgrade-go-version adfddcc9 Merge pull request kubernetes-csi#243 from pohly/git-subtree-pull-fix c4650889 pull-test.sh: avoid "git subtree pull" error 7b175a1e Update csi-test version to v5.2.0 987c90cc Update go version to 1.21 to match k/k 2c625d41 Add script to generate patch release notes f9d5b9c0 Merge pull request kubernetes-csi#236 from mowangdk/feature/bump_csi-driver-host-path_version b01fd537 Bump csi-driver-host-path version up to v1.12.0 git-subtree-dir: release-tools git-subtree-split: dc4d0ae20a3dcce17fbfc745fb1f1e3b10cd9644
The latest release is affected by vulnerability CVE-2022-32149 which is marked as high severity. The issue is being addressed in other parts of Kubernetes as well, see: https://github.com/kubernetes/kubernetes/pull/112989/files
My proposed solution is to add the following directive to go.mod:
I'd be happy to submit a PR when the solution is agreed upon.
The text was updated successfully, but these errors were encountered: