Fix CVE-2024-33599

[jpmca12]

Black Duck Binary Analysis reporting vulnerability CVE-2024-33599 on glibc 2.36-9+deb12u4, fix is available in 2.36-9+deb12u7.

Envoy version: envoy-distroless:v1.29.4

From this line https://github.com/envoyproxy/envoy/blob/v1.29.4/ci/Dockerfile-envoy#L61

cosign download attestation gcr.io/distroless/base-nossl-debian12:nonroot@sha256:0cf184cfdb9ac2878822b15b8917fae5d42fba26da654cd75ab3ed34add0737f | jq -rcs '.[0].payload' | base64 -d

found the glibc version used is 2.36-9+deb12u4

Looking here https://security-tracker.debian.org/tracker/CVE-2024-33599 found that the version 2.36-9+deb12u4 is vulnerable and fix is provided in 2.36-9+deb12u7.

can someone help fixing this. Let me know if I am missing anything. thanks.

cc: @phlax

[phlax]

latest distroless image was updated here ba63c41 and picked to all branches

we dont generally cut releases for container fixes, and im struggling to find any information about this CVE

i generally update the ubuntu images close to when we are going to cut a release, but i will probably update these shortly

i think we can close this - we keep our branches up-to-date with what is available - in the distroless case this is done by dependabot

generally i do the backporting to ensure the supported branches are also up to date, but would appreciate any help with that

[jpmca12]

Thanks @phlax

Wondering when the fix would be available here https://hub.docker.com/r/envoyproxy/envoy-distroless/tags?page=1&page_size=&ordering=&name=v1.29 ?

Thanks

[phlax]

no fixed date as yet, but most likely in around a month