Comments (8)
JohnRusk
commented on August 29, 2024
I think these are fixed now in Master. Is there any plan to release a 0.8.18 release soon? @wangzhen127 , @Random-Liu @vteratipally
from node-problem-detector.
wangzhen127
commented on August 29, 2024
When is this needed? I see the base image was also updated. We could release a new version for the CVE fixes.
from node-problem-detector.
geetasg
commented on August 29, 2024
Please cut a release this week if possible.
Also - we found a new CVE - CVE-2024-28085 - in our latest scan. I think it will also get addressed with the new release. Please clarify if I should report it separate from this issue. Thanks!
from node-problem-detector.
wangzhen127
commented on August 29, 2024
Will release v0.8.18 later this week.
from node-problem-detector.
rishabh-11
commented on August 29, 2024
Found two more CVEs
perl 5.36.0-7+deb12u1
NVD
CVE-2023-47100
Published: 2023-12-02 - Modified: 2023-12-14
CVSS v3: 9.8
Description
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
glibc 2.36-9+deb12u3
NVD
CVE-2023-6246
Published: 2024-01-31 - Modified: 2024-02-16
CVSS v3: 7.8
Description
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
Please try to address them in the next release as well
from node-problem-detector.
hakman
commented on August 29, 2024
As @wangzhen127 mentioned, v0.18.8 should be released this week. Current staging image should include all the latest fixes.
% trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln gcr.io/k8s-staging-npd/node-problem-detector:master
2024-04-04T06:12:15.770+0300 INFO Vulnerability scanning is enabled
2024-04-04T06:12:24.878+0300 INFO Detected OS: debian
2024-04-04T06:12:24.878+0300 INFO Detecting Debian vulnerabilities...
2024-04-04T06:12:24.889+0300 INFO Number of language-specific files: 3
2024-04-04T06:12:24.889+0300 INFO Detecting gobinary vulnerabilities...
gcr.io/k8s-staging-npd/node-problem-detector:master (debian 12.5)
Total: 0 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
from node-problem-detector.
wangzhen127
commented on August 29, 2024
v0.8.18 has released.
/close
from node-problem-detector.
k8s-ci-robot
commented on August 29, 2024
@wangzhen127: Closing this issue.
In response to this:
v0.8.18 has released.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from node-problem-detector.
Related Issues (20)
- No event generated
- Support revert-pattern in logcounter
- arm64 container contains amd64 binary HOT 1
- What is up with the v0.8.15 tag? HOT 10
- V0.8.15 image is missing log-counter binary HOT 2
- node-problem-detector not able to detect kernel log events for a Kind cluster HOT 2
- Health checker doesn't restart kubelet on EKS HOT 7
- go.mod vulnerabilities fixed in master; when 0.8.16 release HOT 4
- License Scan and Findings HOT 2
- after upgrading npd from v0.8.13 to v0.8.15, containers with unready status: [node-problem-detector] HOT 10
- v1.8.13 restart count is 1 in gce-master-scale-performance HOT 8
- New CVEs in 0.8.16 HOT 5
- Include automatic CVE scanning in build process HOT 3
- Improve release process HOT 6
- Release v0.8.17 images not done? HOT 3
- Missing test coverage for standalone mode configuration HOT 5
- Load rule from configmap HOT 5
- CVE-2022-37434: zlib1g version 1:1.2.11.dfsg-1 HOT 1
- High CVEs in v0.8.18 HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-problem-detector.