Skip to content

Releases do not include available security fix for CVE-2024-34156[HIGH] #1662

New issue
New issue
Closed
Closed
Releases do not include available security fix for CVE-2024-34156[HIGH]#1662
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@G-Tarik

Description

@G-Tarik
G-Tarik
opened on Oct 2, 2024

What happened:
At least these versions:
Latest Release:1.29.9 (released: 2024-09-10)
Latest Release:1.30.5 (released: 2024-09-10)
Latest Release:1.31.1 (released: 2024-09-11)
did not include fix for CVE-2024-34156 which was released in go1.22.7 on 2024-09-05. Trivy scanner reports installed version 1.22.6 for all of them.

What you expected to happen:
CVE-2024-34156 fix is included

How to reproduce it (as minimally and precisely as possible):

  1. Build docker images with Dockerfile:
FROM python:3.10-alpine

RUN wget "https://dl.k8s.io/release/v1.29.9/bin/linux/amd64/kubectl" && \
    wget "https://dl.k8s.io/v1.29.9/bin/linux/amd64/kubectl.sha256" && \
    echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c && \
    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
  1. Scan the image with Trivy:
trivy clean --scan-cache
trivy image  --scanners vuln --no-progress --severity HIGH,CRITICAL --ignore-unfixed $IMAGE

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions