-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump version of Go for CVE resolution? #183
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
I saw that our go.mod file says 1.16 in https://github.com/kubernetes-csi/node-driver-registrar/blob/master/go.mod#L3 however the library that builds the binary uses 1.18 https://github.com/kubernetes-csi/csi-release-tools/blob/master/prow.sh#L89, I'll check this again before the next release |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
We can see the same issue. |
/remove-lifecycle stale |
Are there any updates on fixing the CVE's? |
/remove-lifecycle stale |
Bumping up on this. We are having the same issue |
@mauriciopoppe I think if we do a fresh docker build. It should pick up the latest node 16 or node 18 versions with the security patches included. Just need to do a re-release. |
Any updates on fixing the CVEs? if bump the go version to 1.18.7 or 1.19.2 CVEs should be solved. |
A new image will be available soon, I'm waiting for kubernetes/k8s.io#4395 to be merged. |
Tested that the image is available with |
Hello. Would it be possible to bump the version of Golang to help resolve some of these CVE's?
CVE-2021-38297 | critical | go 1.16.2 | 9,8 | https://nvd.nist.gov/vuln/detail/CVE-2021-38297
CVE-2021-27918 | high | go 1.14.15 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-27918
CVE-2021-29923 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-29923
CVE-2021-33194 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33194
CVE-2021-33195 | high | go 1.16.2 | 7,3 | https://nvd.nist.gov/vuln/detail/CVE-2021-33195
CVE-2021-33196 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33196
CVE-2021-33198 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33198
CVE-2021-41771 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-41771
CVE-2021-41772 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-41772
CVE-2021-44716 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-44716
CVE-2020-29510 | medium | go 1.14.15 | 5,6 | https://nvd.nist.gov/vuln/detail/CVE-2020-29510
CVE-2021-31525 | medium | go 1.16.2 | 5,9 | https://nvd.nist.gov/vuln/detail/CVE-2021-31525
CVE-2021-33197 | medium | go 1.16.2 | 5,3 | https://nvd.nist.gov/vuln/detail/CVE-2021-33197
CVE-2021-34558 | medium | go 1.16.2 | 6,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-34558
CVE-2021-36221 | medium | go 1.16.2 | 5,9 | https://nvd.nist.gov/vuln/detail/CVE-2021-36221
The text was updated successfully, but these errors were encountered: