Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated KUBECTL_VERSION to 1.31.0 for fixing vulnerabilities #1690

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Updated KUBECTL_VERSION to 1.31.0 for fixing vulnerabilities #1690

wants to merge 10 commits into from
+1 −1

Conversation

jdesouza
Copy link

@jdesouza jdesouza commented Sep 25, 2024
edited
Loading

usr/local/bin/kubectl (gobinary)

Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.21.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790
│ ├────────────────┼──────────┤ │ ├─────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288
│ ├────────────────┤ │ │ ├─────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

@jdesouza jdesouza changed the title Bumped Go to 1.22.7 for fixing Critical/High vulberabilities Bumped Go to 1.22.7 for fixing High vulberability Sep 25, 2024
@jdesouza jdesouza changed the title Bumped Go to 1.22.7 for fixing High vulberability Bumped Go to 1.22.7 for fixing High vulnerability Sep 25, 2024
@mozillazg
Copy link
Collaborator

@jdesouza Thanks for your contribution! It looks like this issue was fixed via #1687

@jdesouza
Copy link
Author

Looks good although a kubectl vulnerability is likely to remain

@mozillazg
Copy link
Collaborator

Looks good although a kubectl vulnerability is likely to remain

@jdesouza Could you please update this PR to upgrade only the kubectl version? Thanks!

@jdesouza
Copy link
Author

Looks good although a kubectl vulnerability is likely to remain

@jdesouza Could you please update this PR to upgrade only the kubectl version? Thanks!

WDYT now?

afdesk
afdesk approved these changes Oct 1, 2024
View reviewed changes
Copy link
Collaborator

@afdesk afdesk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks!

@mozillazg wdyt?

mozillazg
mozillazg reviewed Oct 1, 2024
View reviewed changes
go.mod Outdated
@@ -1,6 +1,6 @@
module github.com/aquasecurity/kube-bench

go 1.22
go 1.22.7
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, we should avoid updating this version in the go.mod file. This change will force all developers (including kube-bench maintainers and downstream project developers) to download go >=1.22.7.

@afdesk wdyt?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mozillazg I definitely agree with you!
my point was that we already use Go 1.22.7 for building in pipelines.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! Just reverted the go change. Now we have just the kubectl update

@afdesk
Copy link
Collaborator

afdesk commented Oct 3, 2024

Alpine version was alredy bumped via #1676

@jdesouza jdesouza changed the title Bumped Go to 1.22.7 for fixing High vulnerability Updated KUBECTL_VERSION to 1.31.0 for fixing vulnerabilities Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg mozillazg left review comments

@afdesk afdesk afdesk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jdesouza @mozillazg @afdesk