Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update containerd and docker packages #1459

Merged
merged 1 commit into from
Apr 7, 2022
Merged

Update containerd and docker packages #1459

merged 1 commit into from
Apr 7, 2022

Conversation

szh
Copy link
Contributor

@szh szh commented Apr 7, 2022
edited
Loading

Desired Outcome

Dependabot has flagged 3 issues in Secretless modules:

CVE-2022-23648: Insecure handling of image volumes in containerd CRI plugin (High severity)
CVE-2015-3627: Symlink attack in libcontainer and docker engine (Medium severity)
GHSA-qq97-vm5h-rrhg: OCI Manifest Type Confusion
It looks like the affected modules are only indirect dependencies or used in test code, but we should upgrade them. Some of the updates seem to cross major version boundaries, so this is likely more than just version bumps.

To fix these, we need to get:

github.com/containerd/containerd to 1.6.1, 1.5.10, or 1.4.13 or later
github.com/docker/docker to 1.6.1 or later
github.com/docker/distribution to 2.8.0 or later (or if we're using the main branch, to the commit after distribution/distribution@b59a6f8)
This includes any indirect references back to these libraries if possible. (Go.sum should contain no references to vulnerable versions. If that's not possible, we need to document which modules are pulling in old versions so we can watch for updates to them or replace those modules with more up-to-date alternatives.)

Implemented Changes

  • Updated github.com/containerd/containerd from v1.5.9 to v1.6.2
  • Updated github.com/docker/docker from v1.4.2-0.20191231165639-e6f6c35b7902 to v20.10.14+incompatible
  • Updated docker/distribution from v2.7.1+incompatible to v2.8.1+incompatible

Connected Issue/Story

Resolves #1420

CyberArk internal issue link: CONJSE-1284

Definition of Done

  • Secretless no longer contains vulnerability in github.com/containerd/containerd as indicated by absence of Dependabot alert
  • Secretless no longer contains vulnerability in github.com/docker/docker as evidenced by absence of Dependabot alert
  • Secretless no longer contains vulnerability in github.com/docker/distribution as evidenced by absence of Dependabot alert

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: insert issue ID
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@szh szh self-assigned this Apr 7, 2022
@szh szh requested a review from a team as a code owner April 7, 2022 20:19
codeclimate[bot]
codeclimate bot reviewed Apr 7, 2022
View reviewed changes
CHANGELOG.md
@@ -10,6 +10,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Support for building on Apple M1 hardware.
[cyberark/secretless-broker#1456](https://github.com/cyberark/secretless-broker/pull/1456)

### Security
- Updated github.com/containerd/containerd to resolve CVE-2022-23648
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lists should be surrounded by blank lines

@codeclimate
Copy link

codeclimate bot commented Apr 7, 2022

Code Climate has analyzed commit c2a0f7e and detected 1 issue on this pull request.

Here's the issue category breakdown:

Category Count
Style 1

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 34.3% (0.0% change).

View more on Code Climate.

@szh szh requested a review from andytinkham April 7, 2022 20:25
andytinkham
andytinkham approved these changes Apr 7, 2022
View reviewed changes
Copy link
Contributor

@andytinkham andytinkham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andytinkham andytinkham merged commit 92983c5 into main Apr 7, 2022
@andytinkham andytinkham deleted the update-deps branch April 7, 2022 20:57
@john-odonnell john-odonnell mentioned this pull request Jul 8, 2022
Merged
@gl-johnson gl-johnson mentioned this pull request Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeclimate codeclimate[bot] codeclimate[bot] left review comments

@andytinkham andytinkham andytinkham approved these changes

Assignees

@szh szh

Labels
kind/dependency-vulnerability
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade github.com/containerd/containerd to 1.4.8 or higher
2 participants
@szh @andytinkham