Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump version of Go for CVE resolution? #183

Closed
mreider opened this issue Feb 10, 2022 · 13 comments
Closed

Bump version of Go for CVE resolution? #183

mreider opened this issue Feb 10, 2022 · 13 comments

Comments

@mreider
Copy link

mreider commented Feb 10, 2022

Hello. Would it be possible to bump the version of Golang to help resolve some of these CVE's?

CVE-2021-38297 | critical | go 1.16.2 | 9,8 | https://nvd.nist.gov/vuln/detail/CVE-2021-38297
CVE-2021-27918 | high | go 1.14.15 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-27918
CVE-2021-29923 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-29923
CVE-2021-33194 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33194
CVE-2021-33195 | high | go 1.16.2 | 7,3 | https://nvd.nist.gov/vuln/detail/CVE-2021-33195
CVE-2021-33196 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33196
CVE-2021-33198 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33198
CVE-2021-41771 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-41771
CVE-2021-41772 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-41772
CVE-2021-44716 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-44716
CVE-2020-29510 | medium | go 1.14.15 | 5,6 | https://nvd.nist.gov/vuln/detail/CVE-2020-29510
CVE-2021-31525 | medium | go 1.16.2 | 5,9 | https://nvd.nist.gov/vuln/detail/CVE-2021-31525
CVE-2021-33197 | medium | go 1.16.2 | 5,3 | https://nvd.nist.gov/vuln/detail/CVE-2021-33197
CVE-2021-34558 | medium | go 1.16.2 | 6,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-34558
CVE-2021-36221 | medium | go 1.16.2 | 5,9 | https://nvd.nist.gov/vuln/detail/CVE-2021-36221
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 11, 2022
@mauriciopoppe
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 1, 2022
@mauriciopoppe
Copy link
Member

I saw that our go.mod file says 1.16 in https://github.com/kubernetes-csi/node-driver-registrar/blob/master/go.mod#L3 however the library that builds the binary uses 1.18 https://github.com/kubernetes-csi/csi-release-tools/blob/master/prow.sh#L89, I'll check this again before the next release

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 30, 2022
@Alexshen1987
Copy link

We can see the same issue.

@Alexshen1987
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 8, 2022
@sharunjoshi
Copy link

Are there any updates on fixing the CVE's?

@sharunjoshi
Copy link

/remove-lifecycle stale

@sarahhenkens
Copy link

Bumping up on this. We are having the same issue

@sarahhenkens
Copy link

@mauriciopoppe I think if we do a fresh docker build. It should pick up the latest node 16 or node 18 versions with the security patches included. Just need to do a re-release.

@mauriciopoppe mauriciopoppe mentioned this issue Oct 10, 2022
Merged
@MobsMao
Copy link

MobsMao commented Oct 28, 2022

Any updates on fixing the CVEs? if bump the go version to 1.18.7 or 1.19.2 CVEs should be solved.

@mauriciopoppe
Copy link
Member

A new image will be available soon, I'm waiting for kubernetes/k8s.io#4395 to be merged.

@mauriciopoppe
Copy link
Member

Tested that the image is available with docker pull k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@mreider @sarahhenkens @mauriciopoppe @MobsMao @Alexshen1987 @k8s-ci-robot @sharunjoshi @k8s-triage-robot