We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Black Duck Binary Analysis reporting vulnerability CVE-2024-33599 on glibc 2.36-9+deb12u4, fix is available in 2.36-9+deb12u7.
glibc 2.36-9+deb12u4
2.36-9+deb12u7
Envoy version: envoy-distroless:v1.29.4
From this line https://github.com/envoyproxy/envoy/blob/v1.29.4/ci/Dockerfile-envoy#L61
cosign download attestation gcr.io/distroless/base-nossl-debian12:nonroot@sha256:0cf184cfdb9ac2878822b15b8917fae5d42fba26da654cd75ab3ed34add0737f | jq -rcs '.[0].payload' | base64 -d
found the glibc version used is 2.36-9+deb12u4
2.36-9+deb12u4
Looking here https://security-tracker.debian.org/tracker/CVE-2024-33599 found that the version 2.36-9+deb12u4 is vulnerable and fix is provided in 2.36-9+deb12u7.
can someone help fixing this. Let me know if I am missing anything. thanks.
cc: @phlax
The text was updated successfully, but these errors were encountered:
latest distroless image was updated here ba63c41 and picked to all branches
we dont generally cut releases for container fixes, and im struggling to find any information about this CVE
i generally update the ubuntu images close to when we are going to cut a release, but i will probably update these shortly
i think we can close this - we keep our branches up-to-date with what is available - in the distroless case this is done by dependabot
generally i do the backporting to ensure the supported branches are also up to date, but would appreciate any help with that
Sorry, something went wrong.
Thanks @phlax
Wondering when the fix would be available here https://hub.docker.com/r/envoyproxy/envoy-distroless/tags?page=1&page_size=&ordering=&name=v1.29 ?
Thanks
no fixed date as yet, but most likely in around a month
No branches or pull requests
Black Duck Binary Analysis reporting vulnerability CVE-2024-33599 on
glibc 2.36-9+deb12u4
, fix is available in2.36-9+deb12u7
.Envoy version: envoy-distroless:v1.29.4
From this line https://github.com/envoyproxy/envoy/blob/v1.29.4/ci/Dockerfile-envoy#L61
cosign download attestation gcr.io/distroless/base-nossl-debian12:nonroot@sha256:0cf184cfdb9ac2878822b15b8917fae5d42fba26da654cd75ab3ed34add0737f | jq -rcs '.[0].payload' | base64 -d
found the glibc version used is
2.36-9+deb12u4
Looking here https://security-tracker.debian.org/tracker/CVE-2024-33599 found that the version
2.36-9+deb12u4
is vulnerable and fix is provided in2.36-9+deb12u7
.can someone help fixing this. Let me know if I am missing anything. thanks.
cc: @phlax
The text was updated successfully, but these errors were encountered: