Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE fixes, May 23 #3812

Closed
Haarolean opened this issue May 11, 2023 — with Slack · 1 comment · Fixed by #3840
Closed

CVE fixes, May 23 #3812

Haarolean opened this issue May 11, 2023 — with Slack · 1 comment · Fixed by #3840
Assignees
@iliax
Labels
scope/backend type/security Pull requests that address a security vulnerability
Projects
Release 0.8
Milestone
0.7.1

Comments

@Haarolean Slack
Copy link
Contributor

Haarolean commented May 11, 2023
edited
Loading

https://github.com/provectus/kafka-ui/actions/runs/4946294159/jobs/8844174426
@Haarolean Haarolean self-assigned this May 11, 2023
@Haarolean Haarolean added the type/security Pull requests that address a security vulnerability label May 11, 2023
@Haarolean Haarolean assigned iliax and unassigned Haarolean May 11, 2023
@Haarolean Haarolean added this to the 0.8 milestone May 11, 2023
@Haarolean Haarolean added this to To do in Release 0.8 May 11, 2023
@michaelwagler
Copy link

michaelwagler commented May 17, 2023
edited
Loading

@Haarolean Glad you're looking into CVE issues. I ran grype against the latest image locally, and got the list below of CVE vulnerabilities. Are you going to be addressing them as well?

libcrypto1.1                 1.1.1t-r3            apk           CVE-2023-0466   Medium
libssl1.1                    1.1.1t-r3            apk           CVE-2023-0466   Medium
netty-reactive-streams       2.0.5                java-archive  CVE-2014-3488   Medium
netty-reactive-streams       2.0.5                java-archive  CVE-2015-2156   High
netty-reactive-streams       2.0.5                java-archive  CVE-2019-16869  High
netty-reactive-streams       2.0.5                java-archive  CVE-2019-20444  Critical                             dzr                                    libclc                                 pocketbase                             virtualfish
netty-reactive-streams       2.0.5                java-archive  CVE-2019-20445  Critical
netty-reactive-streams       2.0.5                java-archive  CVE-2021-21290  Medium                      llamachat                                             lo-rain                                               uhk-agent
netty-reactive-streams       2.0.5                java-archive  CVE-2021-21295  Medium
netty-reactive-streams       2.0.5                java-archive  CVE-2021-21409  Medium
netty-reactive-streams       2.0.5                java-archive  CVE-2021-37136  High
netty-reactive-streams       2.0.5                java-archive  CVE-2021-37137  High
netty-reactive-streams       2.0.5                java-archive  CVE-2021-43797  Medium
netty-reactive-streams       2.0.5                java-archive  CVE-2022-24823  Medium
netty-reactive-streams       2.0.5                java-archive  CVE-2022-41881  High
netty-reactive-streams-http  2.0.5                java-archive  CVE-2014-3488   Medium
netty-reactive-streams-http  2.0.5                java-archive  CVE-2015-2156   High
netty-reactive-streams-http  2.0.5                java-archive  CVE-2019-16869  High
netty-reactive-streams-http  2.0.5                java-archive  CVE-2019-20444  Critical
netty-reactive-streams-http  2.0.5                java-archive  CVE-2019-20445  Critical
netty-reactive-streams-http  2.0.5                java-archive  CVE-2021-21290  Medium
netty-reactive-streams-http  2.0.5                java-archive  CVE-2021-21295  Medium
netty-reactive-streams-http  2.0.5                java-archive  CVE-2021-21409  Medium
netty-reactive-streams-http  2.0.5                java-archive  CVE-2021-37136  High
netty-reactive-streams-http  2.0.5                java-archive  CVE-2021-37137  High
netty-reactive-streams-http  2.0.5                java-archive  CVE-2021-43797  Medium
netty-reactive-streams-http  2.0.5                java-archive  CVE-2022-24823  Medium    rwin_arm64.tar.gz
netty-reactive-streams-http  2.0.5                java-archive  CVE-2022-41881  High      -2e65be/267054247/d4576751-827c-4f81-a9ab-61f248ef6c76?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230517%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20
reactor-netty-core           1.1.5                java-archive  CVE-2014-3488   Medium    ############################################################################################################################################################### 100.0%
reactor-netty-core           1.1.5                java-archive  CVE-2015-2156   High
reactor-netty-core           1.1.5                java-archive  CVE-2019-16869  High
reactor-netty-core           1.1.5                java-archive  CVE-2019-20444  Critical
reactor-netty-core           1.1.5                java-archive  CVE-2019-20445  Critical
reactor-netty-core           1.1.5                java-archive  CVE-2021-21290  Medium
reactor-netty-core           1.1.5                java-archive  CVE-2021-21295  Medium
reactor-netty-core           1.1.5                java-archive  CVE-2021-21409  Medium
reactor-netty-core           1.1.5                java-archive  CVE-2021-37136  High
reactor-netty-core           1.1.5                java-archive  CVE-2021-37137  High
reactor-netty-core           1.1.5                java-archive  CVE-2021-43797  Medium
reactor-netty-core           1.1.5                java-archive  CVE-2022-24823  Medium    20 MB]
reactor-netty-core           1.1.5                java-archive  CVE-2022-41881  High
reactor-netty-http           1.1.5                java-archive  CVE-2014-3488   Medium
reactor-netty-http           1.1.5                java-archive  CVE-2015-2156   High
reactor-netty-http           1.1.5                java-archive  CVE-2019-16869  High
reactor-netty-http           1.1.5                java-archive  CVE-2019-20444  Critical
reactor-netty-http           1.1.5                java-archive  CVE-2019-20445  Critical
reactor-netty-http           1.1.5                java-archive  CVE-2021-21290  Medium
reactor-netty-http           1.1.5                java-archive  CVE-2021-21295  Medium
reactor-netty-http           1.1.5                java-archive  CVE-2021-21409  Medium
reactor-netty-http           1.1.5                java-archive  CVE-2021-37136  High
reactor-netty-http           1.1.5                java-archive  CVE-2021-37137  High
reactor-netty-http           1.1.5                java-archive  CVE-2021-43797  Medium
reactor-netty-http           1.1.5                java-archive  CVE-2022-24823  Medium
reactor-netty-http           1.1.5                java-archive  CVE-2022-41881  High

@Haarolean Haarolean mentioned this issue May 18, 2023
Merged
13 tasks
@Haarolean Haarolean modified the milestones: 0.8, 0.7.1 May 18, 2023
Release 0.8 automation moved this from To do to Done May 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iliax iliax

Labels
scope/backend type/security Pull requests that address a security vulnerability
Projects
Release 0.8
Done
Milestone
0.7.1
Development

Successfully merging a pull request may close this issue.

BE: Chore: CVEs fixes, May 2023 provectus/kafka-ui
3 participants
@iliax @Haarolean @michaelwagler