What is the Security guidelines for OLM fixing known CVEs?

[kramvan1]

Type of question

OLM Security

Question

What is the Security guidelines for OLM fixing known CVEs?

What did you do?

I see the 0.11.0 release out as the latest release, but is it flagged with a CVE:https://quay.io/repository/operator-framework/olm/manifest/sha256:81813ac9c937187c29e080c0975bb18489c1f232009c38c8d3a27bc9956ddd21?tab=vulnerabilities&fixable=true

What did you expect to see?

I expect to see a 0.11.1 release spin to pick up and fix the CVE within a reasonable timeframe (a couple weeks?)

What did you see instead? Under which circumstances?

No new release to pick up the CVE fixes.

Environment

• operator-lifecycle-manager version:

Latest 0.11.0

• Kubernetes version information:
  n/a

• Kubernetes cluster kind:
  n/a

Additional context

[ecordell]

Currently, our upstream releases do not carry an SLA for fixing known CVEs.

This is already fixed in the master tag, and we will be making another minor release within a week or so to fix this.

[kramvan1]

@ecordell Thx for the info. Are there plans to put our a SLA statement regarding security/CVEs resolution? Trying to understand how to consume this for production and have some type of timeframe for getting high severity security fixes.

[kramvan1]

@ecordell Friendly reminder that the current 0.12.0 release has 3 CVEs. Hopefully there will a new release soon. I checked master just now, and it scanned was clean.

[kramvan1]

@ecordell Any updates on new release to pick up CVEs?

[kramvan1]

@ecordell Any timeframe for 0.13.0 release?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kramvan1]

Working with @dmesser to come up with a process for get release spins.