Skip to content

[v2.10] Bump dependencies#416

Merged
pmatseykanets merged 4 commits intorancher:v2.10from
pmatseykanets:bump-deps-v2.10
Mar 27, 2025
Merged

[v2.10] Bump dependencies#416
pmatseykanets merged 4 commits intorancher:v2.10from
pmatseykanets:bump-deps-v2.10

Conversation

@pmatseykanets
Copy link
Contributor

@pmatseykanets pmatseykanets commented Mar 26, 2025

No description provided.

@pmatseykanets pmatseykanets self-assigned this Mar 26, 2025
@pmatseykanets pmatseykanets requested a review from a team as a code owner March 26, 2025 15:12
@pmatseykanets
Copy link
Contributor Author

pmatseykanets commented Mar 26, 2025
edited
Loading

Before

trivy repository --branch v2.10 https://github.com/rancher/cli
┌───────────────────┬────────────────┬──────────┬──────────┬───────────────────┬──────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │  Status  │ Installed Version │          Fixed Version           │                            Title                            │
├───────────────────┼────────────────┼──────────┼──────────┼───────────────────┼──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net  │ CVE-2025-22870 │ MEDIUM   │ fixed    │ v0.32.0           │ 0.36.0                           │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:    │
│                   │                │          │          │                   │                                  │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net   │
│                   │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22870                  │
├───────────────────┼────────────────┤          │          ├───────────────────┼──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2024-9042  │          │          │ v1.31.1           │ 1.29.13, 1.30.9, 1.31.5, 1.32.1  │ kubelet: Command Injection affecting Windows nodes via      │
│                   │                │          │          │                   │                                  │ nodes/*/logs/query API                                      │
│                   │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-9042                   │
│                   ├────────────────┤          │          │                   ├──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2025-0426  │          │          │                   │ 1.32.2, 1.31.6, 1.30.10, 1.29.14 │ k8s.io/kubernetes: kubelet: node denial of service via      │
│                   │                │          │          │                   │                                  │ kubelet checkpoint API                                      │
│                   │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-0426                   │
│                   ├────────────────┤          ├──────────┤                   ├──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2025-1767  │          │ affected │                   │                                  │ kubelet: GitRepo Volume Inadvertent Local Repository Access │
│                   │                │          │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-1767                   │
└───────────────────┴────────────────┴──────────┴──────────┴───────────────────┴──────────────────────────────────┴─────────────────────────────────────────────────────────────┘

@pmatseykanets
Copy link
Contributor Author

pmatseykanets commented Mar 26, 2025
edited
Loading

After

trivy filesystem .
┌───────────────────┬───────────────┬──────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────┼───────────────┼──────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2025-1767 │ MEDIUM   │ affected │ v1.31.6           │               │ kubelet: GitRepo Volume Inadvertent Local Repository Access │
│                   │               │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-1767                   │
└───────────────────┴───────────────┴──────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

@pmatseykanets pmatseykanets merged commit c77a081 into rancher:v2.10 Mar 27, 2025
1 check passed
@pmatseykanets pmatseykanets deleted the bump-deps-v2.10 branch March 27, 2025 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreas-kupries andreas-kupries andreas-kupries approved these changes

@JonCrowther JonCrowther JonCrowther approved these changes

@bigkevmcd bigkevmcd Awaiting requested review from bigkevmcd

Assignees

@pmatseykanets pmatseykanets

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pmatseykanets @andreas-kupries @JonCrowther