Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies/Fix High Severity Vulnerability CVE-2023-44487 Found in the latest image 8.5.11 #271

Merged
merged 1 commit into from
Dec 12, 2024
Merged

Dependencies/Fix High Severity Vulnerability CVE-2023-44487 Found in the latest image 8.5.11 #271

merged 1 commit into from
Dec 12, 2024

Conversation

mlajkim
Copy link
Contributor

@mlajkim mlajkim commented Dec 9, 2024
edited
Loading

Background

image
#270

What's done?

  • Confirmed that the following versions of k8s.io have vulnerabilities:
    • v0.30.7
    • v0.31.0
  • Upgrade k8s.io to vulnerability free version v0.31.3 from v0.23.17
  • Confirmed that k8s.io v0.31 requires go version 1.23 or higher
  • Upgrade go version to 1.23 from 1.18
  • Checked that the vulnerability is fixed as the following:
    • image

@mlajkim mlajkim marked this pull request as draft December 9, 2024 00:30
@mlajkim mlajkim force-pushed the dependencies/fix-high-severity-vul-CVE-2023-44487 branch 3 times, most recently from a0ed622 to e443dd1 Compare December 11, 2024 02:16
@mlajkim
Copy link
Contributor Author

mlajkim commented Dec 11, 2024

@eshepelyuk
We've found a vulnerability in the package and have fixed it in this PR. Could you please review it for us? Thank you.

@mlajkim mlajkim marked this pull request as ready for review December 11, 2024 02:33
eshepelyuk
eshepelyuk requested changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@eshepelyuk eshepelyuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR should be rebased into single commit. otherwise LGTM.

@mlajkim mlajkim force-pushed the dependencies/fix-high-severity-vul-CVE-2023-44487 branch from e443dd1 to 818f2d0 Compare December 12, 2024 00:12
@mlajkim
Copy link
Contributor Author

mlajkim commented Dec 12, 2024

PR should be rebased into single commit. otherwise LGTM.

@eshepelyuk
Take a look if it is handled! Thanks.

@eshepelyuk
Copy link
Contributor

PR should be rebased into single commit. otherwise LGTM.

@eshepelyuk
Take a look if it is handled! Thanks.

yes, but leave proper commit message.
fix vul is not acceptable.

@mlajkim
bump: k8s.io 0.23->1.23 go 1.18->1.23 to fix vul cve-2023-44487
a2cf801 
Signed-off-by: Jeongwoo Kim - jekim <jekim@lycorp.co.jp>
@mlajkim mlajkim force-pushed the dependencies/fix-high-severity-vul-CVE-2023-44487 branch from 818f2d0 to a2cf801 Compare December 12, 2024 00:57
@mlajkim
Copy link
Contributor Author

mlajkim commented Dec 12, 2024

@eshepelyuk take a look once again.

@eshepelyuk eshepelyuk merged commit ae2e69d into open-policy-agent:master Dec 12, 2024
2 checks passed
@eshepelyuk
Copy link
Contributor

Thanks
will be available in https://github.com/open-policy-agent/kube-mgmt/releases/tag/8.5.12

@mlajkim mlajkim deleted the dependencies/fix-high-severity-vul-CVE-2023-44487 branch December 12, 2024 01:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eshepelyuk eshepelyuk eshepelyuk requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mlajkim @eshepelyuk