Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2021-43618 #826

Merged
merged 1 commit into from Jan 4, 2022
Merged

security: fix CVE-2021-43618 #826

merged 1 commit into from Jan 4, 2022

Conversation

aramase
Copy link
Member

@aramase aramase commented Jan 4, 2022

Signed-off-by: Anish Ramasekar anish.ramasekar@gmail.com

What this PR does / why we need it:

➜ trivy --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0
2022-01-04T13:40:52.026-0800	WARN	The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515
2022-01-04T13:40:52.073-0800	INFO	Need to update DB
2022-01-04T13:40:52.073-0800	INFO	Downloading DB...
25.32 MiB / 25.32 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 24.18 MiB p/s 1s
2022-01-04T13:40:57.118-0800	INFO	Detected OS: debian
2022-01-04T13:40:57.118-0800	INFO	Detecting Debian vulnerabilities...
2022-01-04T13:40:57.128-0800	INFO	Number of language-specific files: 0

k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 (debian 11.1)
================================================================
Total: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+----------+------------------+----------+-------------------+------------------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |                 TITLE                 |
+----------+------------------+----------+-------------------+------------------------+---------------------------------------+
| libgmp10 | CVE-2021-43618   | HIGH     | 2:6.2.1+dfsg-1    | 2:6.2.1+dfsg-1+deb11u1 | gmp: Integer overflow and resultant   |
|          |                  |          |                   |                        | buffer overflow via crafted input     |
|          |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2021-43618 |
+----------+------------------+----------+-------------------+------------------------+---------------------------------------+

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #

Special notes for your reviewer:

@aramase
security: fix CVE-2021-43618
6462375 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 4, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 4, 2022
@tam7t
Copy link
Contributor

tam7t commented Jan 4, 2022

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 4, 2022
@k8s-ci-robot k8s-ci-robot merged commit efed957 into kubernetes-sigs:main Jan 4, 2022
@aramase aramase deleted the CVE-2021-43618 branch January 4, 2022 22:37
@aramase aramase mentioned this pull request Jan 11, 2022
Merged
k8s-ci-robot added a commit that referenced this pull request Jan 11, 2022
@k8s-ci-robot
Merge pull request #833 from aramase/automated-cherry-pick-of-#826-up…
5d0c17a 
…stream-release-1.0

Automated cherry pick of #826: security: fix CVE-2021-43618
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritazh ritazh Awaiting requested review from ritazh

@tam7t tam7t Awaiting requested review from tam7t

Assignees

@tam7t tam7t

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aramase @k8s-ci-robot @tam7t