chore(deps): bump docker from 26.1.5 to 27.1.1
#13524
Conversation
Signed-off-by: shuangkun <[email protected]>
agilgur5
changed the title
docker to 27.1.1 to fix CVE
agilgur5
changed the title
docker to 27.1.1 to fix CVEdocker from 26.1.5 to 27.1.1 to fix CVE
There was a problem hiding this comment.
Fix cve CVE-2024-41110 https://nvd.nist.gov/vuln/detail/CVE-2024-41110
Huh I thought this was already fixed in #13416 per #13416 (comment) (and one more patch version bump in #13446)
Dependabot and Snyk aren't currently alerting on it either.
Looking at the CVE, the current version we're on, 26.1.5, does contain the fix already. So moving to 27.1.1 doesn't add the fix, it's just a pure dep upgrade.
Also the CVE does not impact our usage, per my above linked comment
agilgur5
added
type/dependencies
agilgur5
changed the title
docker from 26.1.5 to 27.1.1 to fix CVEdocker from 26.1.5 to 27.1.1
|
Oh, you are right. |
There was a problem hiding this comment.
Where do you see the CVE alert? The latest Snyk build succeeds on master branch https://github.com/argoproj/argo-workflows/actions/runs/10612060725/job/29412929113
I wrote this above as well. My guess is @shuangkun might have seen it in an image scan or something, because v3.5.10 has 26.1.4 as #13446 has yet to make it into a release. This upgrade is still good to have I suppose, it's just not a dep CVE fix |
I see in 3.5.10 release. |
|
#13446 will be out in 3.5.11 |
Fix cve CVE-2024-41110 https://nvd.nist.gov/vuln/detail/CVE-2024-41110
Motivation
Modifications
Verification