Tagging a 7.1.4 with CVE fixes

[AndrewNiven1]

Hi all,

Since 7.1.3 there have been two PRs (1244 and 1276) which contain version bumps to fix CVEs. I understand that version 7.2.0 is due to be released soon, but we would really appreciate it if we could get a 7.1.4 version with these CVE fixes out this week. Would it be okay if I were to take a branch off 7.1.3, apply these two PRs, and then tag 7.1.4?

Thanks,

Andrew

[nehap4]

Can the alpine version be updated to 3.14.2 instead of 3.14 for 7.1.4 tag? 3.14.2 fixes the CVE-2021-3712.

[paulwouters]

I would also like to see a 7.1.4 (or 7.2.0) tag. The diff to 7.1.3 to pull in the CVE fixes is 9k lines :/
(looking again, and seeing requirements updates, git head should really be a 7.2.0 and not 7.1.4. I would like to see a 7.1.4 with the security fixes, but that still uses coreos-oidc v2 instead of v3

[JoelSpeed]

We will be releasing 7.2.0 very shortly. As we are both quite short on time to work on the project lately and there's a lot involved in doing the release process, we won't be doing any further patches on the 7.1.z stream.

We are hoping to have the new release out in the next week or so.

Can the alpine version be updated to 3.14.2 instead of 3.14 for 7.1.4 tag?

The 3.14 tag will pull in the latest z-stream release of the alpine image, so we will already be pulling in the fix for that CVE in our next builds

[JoelSpeed]

Please use the new 7.2.0 release which has just been published