Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

images: k8s-cloud-builder go1.18 and CVE updates for debian-base #2371

Merged
merged 2 commits into from
Dec 17, 2021
Merged

images: k8s-cloud-builder go1.18 and CVE updates for debian-base #2371

merged 2 commits into from
Dec 17, 2021

Conversation

justaugustus
Copy link
Member

What type of PR is this?

/kind feature
/area dependency release-eng/security

What this PR does / why we need it:

Part of #2307.

  • [go1.18] Build k8s-cloud-builder:v1.24.0-go1.18beta1-bullseye.0
  • debian-base: Build bullseye-v1.1.0 and buster-v1.10.0

/assign @cpanato @saschagrunert @puerco
/cc @kubernetes/release-engineering

Which issue(s) this PR fixes:

Special notes for your reviewer:

While working on the k/k PR, I noticed this note on upstream etcd image configs:

# TODO: move to k8s.gcr.io/build-image/debian-base:bullseye-v1.y.z when patched
FROM debian:bullseye-20210927

ref: etcd-io/etcd#13376, https://github.com/etcd-io/etcd/blob/42840d0fda78811be7ac0cdd18d7d2c3408268cc/Dockerfile-release.amd64#L1

...so let's get those patched!
/hold for checking vulns on debian-base images
cc: @hexfusion @mrueg

Does this PR introduce a user-facing change?

- images: k8s-cloud-builder go1.18 and CVE updates for debian-base
  - [go1.18] Build k8s-cloud-builder:v1.24.0-go1.18beta1-bullseye.0
  - debian-base: Build bullseye-v1.1.0 and buster-v1.10.0

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Dec 17, 2021
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 17, 2021
@k8s-ci-robot k8s-ci-robot added the area/dependency Issues or PRs related to dependency changes label Dec 17, 2021
@k8s-ci-robot k8s-ci-robot requested a review from a team December 17, 2021 17:33
@k8s-ci-robot k8s-ci-robot added area/release-eng/security Issues or PRs related to release engineering security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 17, 2021
@justaugustus justaugustus mentioned this pull request Dec 17, 2021
Closed
45 tasks
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Dec 17, 2021
@Verolop
Copy link
Contributor

Verolop commented Dec 17, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 17, 2021
@Verolop
Copy link
Contributor

Verolop commented Dec 17, 2021

/approved

@justaugustus justaugustus mentioned this pull request Dec 17, 2021
Merged
cpanato
cpanato approved these changes Dec 17, 2021
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgmt

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, justaugustus, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [cpanato,justaugustus,xmudrii]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@justaugustus
Copy link
Member Author

Before:

time docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0
2021-12-17T17:49:19.936Z	INFO	Need to update DB
2021-12-17T17:49:19.936Z	INFO	Downloading DB...
25.26 MiB / 25.26 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 11.12 MiB p/s 3s
2021-12-17T17:49:25.589Z	INFO	Detected OS: debian
2021-12-17T17:49:25.590Z	INFO	Detecting Debian vulnerabilities...
2021-12-17T17:49:25.602Z	INFO	Number of language-specific files: 0

k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0 (debian 11.0)
================================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 1)

+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                 TITLE                 |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
| libgssapi-krb5-2 | CVE-2021-37750   | MEDIUM   | 1.18.3-6          | 1.18.3-6+deb11u1 | krb5: NULL pointer dereference        |
|                  |                  |          |                   |                  | in process_tgs_req() in               |
|                  |                  |          |                   |                  | kdc/do_tgs_req.c via a FAST inner...  |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-37750 |
+------------------+                  +          +                   +                  +                                       +
| libk5crypto3     |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+                  +          +                   +                  +                                       +
| libkrb5-3        |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+                  +          +                   +                  +                                       +
| libkrb5support0  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
| libssl1.1        | CVE-2021-3711    | CRITICAL | 1.1.1k-1          | 1.1.1k-1+deb11u1 | openssl: SM2 Decryption               |
|                  |                  |          |                   |                  | Buffer Overflow                       |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3711  |
+                  +------------------+----------+                   +                  +---------------------------------------+
|                  | CVE-2021-3712    | HIGH     |                   |                  | openssl: Read buffer overruns         |
|                  |                  |          |                   |                  | processing ASN.1 strings              |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3712  |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed   0.18s user 0.24s system 4% cpu 9.018 total

After:

time docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed gcr.io/k8s-staging-releng-test/debian-base:bullseye-v1.1.0
2021-12-17T17:50:29.580Z	INFO	Need to update DB
2021-12-17T17:50:29.580Z	INFO	Downloading DB...
25.26 MiB / 25.26 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 14.74 MiB p/s 2s
2021-12-17T17:50:50.476Z	INFO	Detected OS: debian
2021-12-17T17:50:50.476Z	INFO	Detecting Debian vulnerabilities...
2021-12-17T17:50:50.488Z	INFO	Number of language-specific files: 0

gcr.io/k8s-staging-releng-test/debian-base:bullseye-v1.1.0 (debian 11.1)
========================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed   0.15s user 0.17s system 1% cpu 22.040 total

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 17, 2021
@k8s-ci-robot k8s-ci-robot merged commit 7ab3d8e into kubernetes:master Dec 17, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Dec 17, 2021
@justaugustus justaugustus mentioned this pull request Dec 17, 2021
Merged
@justaugustus
Copy link
Member Author

Promotion PR: kubernetes/k8s.io#3212

@justaugustus justaugustus mentioned this pull request Dec 17, 2021
Merged
@justaugustus
Copy link
Member Author

...so let's get those patched!
/hold for checking vulns on debian-base images
cc: @hexfusion @mrueg

Closing the loop with etcd-io/etcd#13546.

@justaugustus justaugustus mentioned this pull request Dec 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xmudrii xmudrii xmudrii approved these changes

@cpanato cpanato cpanato approved these changes

Assignees

@saschagrunert saschagrunert

@Verolop Verolop

@puerco puerco

@cpanato cpanato

@xmudrii xmudrii

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/release-eng/security Issues or PRs related to release engineering security area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.
7 participants
@justaugustus @Verolop @k8s-ci-robot @cpanato @xmudrii @saschagrunert @puerco