Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixable security vulnerabilities in 2.50.0 #931

Open
sachams opened this issue Oct 5, 2024 · 7 comments
Open

Fixable security vulnerabilities in 2.50.0 #931

sachams opened this issue Oct 5, 2024 · 7 comments

Comments

@sachams
Copy link

sachams commented Oct 5, 2024

Release 2.50.0 has a number of Critical and High security vulnerabilities that can be fixed. These are showing up in our vulnerability reporting. Can they be addressed?

Here is the report obtained by running:

grype gcr.io/endpoints-release/endpoints-runtime:2.50.0 --only-fixed

NAME                        INSTALLED  FIXED-IN    TYPE       VULNERABILITY        SEVERITY 
google.golang.org/protobuf  v1.30.0    1.33.0      go-module  GHSA-8r3f-844c-mc37  Medium    
libcrypto3                  3.1.6-r0   3.1.7-r0    apk        CVE-2024-6119        High      
libexpat                    2.6.2-r0   2.6.3-r0    apk        CVE-2024-45492       Critical  
libexpat                    2.6.2-r0   2.6.3-r0    apk        CVE-2024-45491       Critical  
libexpat                    2.6.2-r0   2.6.3-r0    apk        CVE-2024-45490       Critical  
libssl3                     3.1.6-r0   3.1.7-r0    apk        CVE-2024-6119        High      
openssl                     3.1.6-r0   3.1.7-r0    apk        CVE-2024-6119        High      
pip                         23.1.2     23.3        python     GHSA-mq26-g339-26xf  Medium    
python3                     3.11.8-r0  3.11.10-r0  apk        CVE-2024-7592        High      
python3                     3.11.8-r0  3.11.10-r0  apk        CVE-2024-6232        High      
python3                     3.11.8-r0  3.11.10-r0  apk        CVE-2024-4032        High      
python3                     3.11.8-r0  3.11.10-r0  apk        CVE-2024-6923        Medium    
python3                     3.11.8-r0  3.11.10-r0  apk        CVE-2023-27043       Medium    
python3                     3.11.8-r0  3.11.8-r1   apk        CVE-2024-8088        Unknown   
python3                     3.11.8-r0  3.11.10-r0  apk        CVE-2015-2104        Unknown   
python3-pyc                 3.11.8-r0  3.11.10-r0  apk        CVE-2024-7592        High      
python3-pyc                 3.11.8-r0  3.11.10-r0  apk        CVE-2024-6232        High      
python3-pyc                 3.11.8-r0  3.11.10-r0  apk        CVE-2024-4032        High      
python3-pyc                 3.11.8-r0  3.11.10-r0  apk        CVE-2024-6923        Medium    
python3-pyc                 3.11.8-r0  3.11.10-r0  apk        CVE-2023-27043       Medium    
python3-pyc                 3.11.8-r0  3.11.8-r1   apk        CVE-2024-8088        Unknown   
python3-pyc                 3.11.8-r0  3.11.10-r0  apk        CVE-2015-2104        Unknown   
python3-pycache-pyc0        3.11.8-r0  3.11.10-r0  apk        CVE-2024-7592        High      
python3-pycache-pyc0        3.11.8-r0  3.11.10-r0  apk        CVE-2024-6232        High      
python3-pycache-pyc0        3.11.8-r0  3.11.10-r0  apk        CVE-2024-4032        High      
python3-pycache-pyc0        3.11.8-r0  3.11.10-r0  apk        CVE-2024-6923        Medium    
python3-pycache-pyc0        3.11.8-r0  3.11.10-r0  apk        CVE-2023-27043       Medium    
python3-pycache-pyc0        3.11.8-r0  3.11.8-r1   apk        CVE-2024-8088        Unknown   
python3-pycache-pyc0        3.11.8-r0  3.11.10-r0  apk        CVE-2015-2104        Unknown
@sachams
Copy link
Author

sachams commented Oct 14, 2024

Any thoughts on this?

@gopkarthik
Copy link
Contributor

Thanks for bringing this up! Updating dependencies should fix the critical vulnerabilities. We'll create a new minor release (2.51.0) addressing this.

@sachams
Copy link
Author

sachams commented Nov 4, 2024

Hey @gopkarthik just checking in to see if you have had a chance to pick this up?

@sachams
Copy link
Author

sachams commented Nov 17, 2024

Hi @gopkarthik any update? These critical vulnerabilities are being flagged in our vulnerability reporting and are now becoming a problem for us. I would be grateful if you can take a look.

@sachams
Copy link
Author

sachams commented Dec 2, 2024

Hey @gopkarthik @paulhong01 any thoughts? Would be great to get an update out before the end of the year! 🎁 🎉

@paulhong01
Copy link
Contributor

2.51 has been released. https://github.com/GoogleCloudPlatform/esp-v2/releases/tag/v2.51.0

@sachams
Copy link
Author

sachams commented Jan 6, 2025

Many thanks! I see the critical issues have been resolved - thanks! Do you plan to address the high issues?

grype gcr.io/endpoints-release/endpoints-runtime:2.51.0 --only-fixed

NAME                        INSTALLED   FIXED-IN                                  TYPE       VULNERABILITY        SEVERITY 
glibc                       2.34-r0     2.40                                      apk        CVE-2024-33602       High      
glibc                       2.34-r0     2.40                                      apk        CVE-2024-33601       High      
glibc                       2.34-r0     2.40                                      apk        CVE-2024-2961        High      
glibc                       2.34-r0     2.39                                      apk        CVE-2023-5156        High      
glibc                       2.34-r0     2.39                                      apk        CVE-2023-4911        High      
glibc                       2.34-r0     2.35                                      apk        CVE-2021-3998        High      
glibc                       2.34-r0     2.36                                      apk        CVE-2023-4813        Medium    
glibc                       2.34-r0     2.39                                      apk        CVE-2023-4527        Medium    
glibc                       2.34-r0     2.38                                      apk        CVE-2023-0687        Medium    
glibc                       2.34-r0     2.40                                      apk        CVE-2024-33600       Unknown   
glibc                       2.34-r0     2.40                                      apk        CVE-2024-33599       Unknown   
golang.org/x/net            v0.23.0     0.33.0                                    go-module  GHSA-w32m-9786-jp63  High      
google.golang.org/protobuf  v1.30.0     1.33.0                                    go-module  GHSA-8r3f-844c-mc37  Medium    
pip                         23.1.2      23.3                                      python     GHSA-mq26-g339-26xf  Medium    
py3-pip                     23.1.2-r0   23.3                                      apk        CVE-2023-5752        Medium    
python3                     3.11.10-r1  3.10.16, 3.11.11, 3.12.8, 3.13.1, 3.9.21  apk        CVE-2024-50602       Medium    
python3                     3.11.10-r1  3.11.11-r0                                apk        CVE-2024-9287        Unknown   
python3-pyc                 3.11.10-r1  3.11.11-r0                                apk        CVE-2024-9287        Unknown   
python3-pycache-pyc0        3.11.10-r1  3.11.11-r0                                apk        CVE-2024-9287        Unknown   
stdlib                      go1.22.5    1.22.7, 1.23.1                            go-module  CVE-2024-34158       High      
stdlib                      go1.22.5    1.22.7, 1.23.1                            go-module  CVE-2024-34156       High      
stdlib                      go1.22.5    1.22.7, 1.23.1                            go-module  CVE-2024-34155       Medium

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopkarthik @sachams @paulhong01