Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities found in latest release #1742

Open
github-actions bot opened this issue Dec 2, 2024 · 1 comment
Open

Vulnerabilities found in latest release #1742

github-actions bot opened this issue Dec 2, 2024 · 1 comment
Labels
release-vulnerabilities Issues for vulnerabilities in the latest release.

Comments

@github-actions
Copy link
Contributor

github-actions bot commented Dec 2, 2024

ghcr.io/shipwright-io/build/bundle:v0.14.0@sha256:d921fbbfd7d87bd43a5a3cecf9039c6a65306cf1ce9ee307c55ce522f7d86af2

OS vulnerabilities

Vulnerability Package Severity Version
CVE-2024-3596 krb5-libs high 1.21.1-2.el9_4 -> 1.21.1-4.el9_5
CVE-2024-26462 krb5-libs medium 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26458 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26461 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-2236 libgcrypt medium 1.10.0-10.el9_2 -> 1.10.0-11.el9
CVE-2024-2511 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5

Go vulnerabilities

Vulnerability Package Version
GO-2024-3333 golang.org/x/net v0.30.0 -> v0.33.0

ghcr.io/shipwright-io/build/git:v0.14.0@sha256:81a8c0572364836b7f4728cfcb10a93326b06c9ae45bb57e56eec6e80469dd63

OS vulnerabilities

Vulnerability Package Severity Version
CVE-2024-50602 expat medium 2.5.0-2.el9_4.1 -> 2.5.0-3.el9_5.1
CVE-2024-3596 krb5-libs high 1.21.1-2.el9_4 -> 1.21.1-4.el9_5
CVE-2024-26462 krb5-libs medium 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26458 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26461 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-2236 libgcrypt medium 1.10.0-10.el9_2 -> 1.10.0-11.el9
CVE-2024-2511 openssl low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-2511 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-10963 pam high 1.5.1-19.el9 -> 1.5.1-22.el9_5
CVE-2024-10041 pam medium 1.5.1-19.el9 -> 1.5.1-21.el9_5

Go vulnerabilities

Vulnerability Package Version
GO-2024-3321 golang.org/x/crypto v0.28.0 -> v0.31.0
GO-2024-3333 golang.org/x/net v0.30.0 -> v0.33.0

ghcr.io/shipwright-io/build/image-processing:v0.14.0@sha256:6532c8a246b3b9f433f758627230d62eb624baf58e309fbe106840209ed4c9b9

OS vulnerabilities

Vulnerability Package Severity Version
CVE-2024-3596 krb5-libs high 1.21.1-2.el9_4 -> 1.21.1-4.el9_5
CVE-2024-26462 krb5-libs medium 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26458 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26461 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-2236 libgcrypt medium 1.10.0-10.el9_2 -> 1.10.0-11.el9
CVE-2024-2511 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5

Go vulnerabilities

Vulnerability Package Version
GO-2024-3333 golang.org/x/net v0.30.0 -> v0.33.0

ghcr.io/shipwright-io/build/shipwright-build-controller:v0.14.0@sha256:f38b9266889be7e81a5f66d371da39506071719217207718b56c1297589f6a4f

OS vulnerabilities

Vulnerability Package Severity Version
CVE-2024-3596 krb5-libs high 1.21.1-2.el9_4 -> 1.21.1-4.el9_5
CVE-2024-26462 krb5-libs medium 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26458 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26461 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-2236 libgcrypt medium 1.10.0-10.el9_2 -> 1.10.0-11.el9
CVE-2024-2511 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5

Go vulnerabilities

Vulnerability Package Version
GO-2024-3321 golang.org/x/crypto v0.28.0 -> v0.31.0
GO-2024-3333 golang.org/x/net v0.30.0 -> v0.33.0

ghcr.io/shipwright-io/build/shipwright-build-webhook:v0.14.0@sha256:aa7bd77d7884efb03bbbecbc249f92fcbcf85c1150ce11cae4eb751457a3cbb6

OS vulnerabilities

Vulnerability Package Severity Version
CVE-2024-3596 krb5-libs high 1.21.1-2.el9_4 -> 1.21.1-4.el9_5
CVE-2024-26462 krb5-libs medium 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26458 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26461 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-2236 libgcrypt medium 1.10.0-10.el9_2 -> 1.10.0-11.el9
CVE-2024-2511 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5

Go vulnerabilities

Vulnerability Package Version
GO-2024-3333 golang.org/x/net v0.30.0 -> v0.33.0

ghcr.io/shipwright-io/build/waiter:v0.14.0@sha256:4e9c45f8ebd723a07ceef9c6bc3b8727a0fd8149de7bee60d6ebae634bfedec9

OS vulnerabilities

Vulnerability Package Severity Version
CVE-2024-3596 krb5-libs high 1.21.1-2.el9_4 -> 1.21.1-4.el9_5
CVE-2024-26462 krb5-libs medium 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26458 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-26461 krb5-libs low 1.21.1-2.el9_4 -> 1.21.1-3.el9
CVE-2024-2236 libgcrypt medium 1.10.0-10.el9_2 -> 1.10.0-11.el9
CVE-2024-2511 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4603 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-4741 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5
CVE-2024-5535 openssl-libs low 1:3.0.7-28.el9_4 -> 1:3.2.2-6.el9_5

Go vulnerabilities

No vulnerabilities found.

@github-actions github-actions bot added the release-vulnerabilities Issues for vulnerabilities in the latest release. label Dec 2, 2024
@adambkaplan
Copy link
Member

Most of these are RHEL packages in the base image. We also have a golang dependency (golang.org/x/crypto) with a "high" serverity grade CVE (backport PR #1755). I think it is worth issuing a v0.14.1 release once the golang patch merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-vulnerabilities Issues for vulnerabilities in the latest release.
Projects
None yet
Development

No branches or pull requests

1 participant