Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical known CVE's found in latest release - v3.2.4 #3116

Open
TueDissingWork opened this issue Jan 10, 2025 · 2 comments
Open

Critical known CVE's found in latest release - v3.2.4 #3116

TueDissingWork opened this issue Jan 10, 2025 · 2 comments
Labels
bug Something isn't working triage Add this label to issues that should be triaged and prioretized in the next planning call unconfirmed

Comments

@TueDissingWork
Copy link

TueDissingWork commented Jan 10, 2025
edited
Loading

Kairos version:

PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

KAIROS_NAME="kairos-standard-ubuntu-24.04"
KAIROS_ID_LIKE="kairos-standard-ubuntu-24.04"
KAIROS_VERSION_ID="v3.2.4"
KAIROS_PRETTY_NAME="kairos-standard-ubuntu-24.04 v3.2.4"
KAIROS_IMAGE_REPO="quay.io/kairos/ubuntu:24.04-standard-amd64-generic-v3.2.4"
KAIROS_BUG_REPORT_URL="https://github.com/kairos-io/kairos/issues"
KAIROS_SOFTWARE_VERSION_PREFIX="k3s"
KAIROS_IMAGE_LABEL="24.04-standard-amd64-generic-v3.2.4"
KAIROS_ARTIFACT="kairos-ubuntu-24.04-standard-amd64-generic-v3.2.4"
KAIROS_FLAVOR="ubuntu"
KAIROS_MODEL="generic"
KAIROS_HOME_URL="https://github.com/kairos-io/kairos"
KAIROS_GITHUB_REPO="kairos-io/kairos"
KAIROS_VERSION="v3.2.4"
KAIROS_FLAVOR_RELEASE="24.04"
KAIROS_RELEASE="v3.2.4"
KAIROS_ID="kairos"
KAIROS_FAMILY="ubuntu"
KAIROS_VARIANT="standard"
KAIROS_TARGETARCH="amd64"
KAIROS_REGISTRY_AND_ORG="quay.io/kairos"

CPU architecture, OS, and Version:

Describe the bug

Scanning of latest v3.2.4 UKI docker image we found these critical and high CVE's:
go-git

Golang x/crypto/ssh

Golang x/net

Kernel related

To Reproduce
Scan the kairos/ubuntu:24.04-standard-amd64-generic-v3.2.4-uki image with Trivy or XRay
Expected behavior

No critical CVE's and hopefully none high either

Logs

Additional context
@TueDissingWork TueDissingWork added bug Something isn't working triage Add this label to issues that should be triaged and prioretized in the next planning call unconfirmed labels Jan 10, 2025
@jimmykarily
Copy link
Contributor

Those came out after our previous release was cut. We are preparing a new release soon: #2127 . Thanks for reporting these.

Also fyi: https://kairos.io/docs/reference/image_matrix/#versioning-policy

@TueDissingWork
Copy link
Author

Those came out after our previous release was cut. We are preparing a new release soon: #2127 . Thanks for reporting these.

Also fyi: https://kairos.io/docs/reference/image_matrix/#versioning-policy

Yes I am aware that these a rather new CVE's - couldn't easily find a way to solve them myself, so reported then here instead.
However it seems that all of them have been addressed and should be relatively easy to mitigate -> update the affected dependencies.

Not sure how to control dependencies - happy to test various changes, but not sure how.

@jimmykarily jimmykarily moved this to In Progress 🏃 in 🧙Issue tracking board Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage Add this label to issues that should be triaged and prioretized in the next planning call unconfirmed
Projects
🧙Issue tracking board
Status: In Progress 🏃
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimmykarily @TueDissingWork