Open ssl CVE present in node cache 1.22.20 about dns HOT 11 CLOSED

Thanks for sharing providing these images.
For the distroless-iptables, gcr.io/gke-release/distroless-iptables:v0.2.4-gke.7 does not have any critical/high/medium CVEs, but does has low CVEs.

For the base image, gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d has some low CVEs, but the one already checked in the code(gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) has 0 CVEs(no low as well).

I will only update the distroless-iptables.

from dns.

I've pushed the tag, we will promote the images to the k8s registry today-tomorrow.

from dns.

Thanks,

There are already newer images. Could you check 1.22.21?
There's also 1.22.22 tag, but it's not promoted so the image is not yet in the registry.

from dns.

1.22.21 also has the same CVE's mentioned. Like you mentioned 1.22.22 is not accessible.

I doubt that 1.22.22 doesn't have the CVE because the base images that are used to build(gcr.io/gke-release/distroless-iptables:v0.2.4-gke.2@sha256:de81db8d3d8d61fcc13bae7b8d4b1ca1248f8e88356e500e7cd9f3f9a1d35cf4 and gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) have the CVEs in them.
https://github.com/kubernetes/dns/blob/1.22.22/rules.mk#LL34C14-L34C119

If you could provide me the newer base images that I can use, I would be happy to contribute. I am unable to list latest tags.

from dns.

Hmm, does the static-debian has the vulnerability? AFAIK it should have no ssl libs.
Could you check the latest image?
gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e

Maybe base-debian is affected? As it should have the ssl libs.

As for the distroless-iptables let me ask, maybe there's soon a fixed version be released.

And thanks for the report!

from dns.

My bad, yes, gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e is green(0 known CVE), only the ditsroless-iptables requires update.

What open sourced repo is distroless-iptables part of?

from dns.

I've checked with the maintainers of the image. gcr.io/gke-release/distroless-iptables:v0.2.4-gke.7 has the fix already.

@i5haan could you help to check if the base-debian is affected?

And then to make a PR for both images (or only one if needed)? I'd approve and release a new tag.

Thanks!

from dns.

Latest base-debian is: gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

from dns.

I'm just thinking, if we're updating distroless-iptables, then updating the base-debian to the latest won't hurt as well.

Could you please include the

Uploaded Jun 17, 2023, 2:19:59 PM
gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

at

from dns.

Oh, wait, the hash is the same for the base-debian. Yep, only distroless-iptables are for the update.

from dns.

Thanks for the approval! After the commit, when does it get released?

from dns.