-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prometheus-auth is using an old unmaintained version of Alpine Linux. #29290
Comments
Thanks for submitting this issue to us! FYI I believe the Dockerfile.dapper linked in the original issue description is the one used by Dapper for our build scripts, so the Go version shouldn't make a difference, but I'll update that anyways. However, it seems like the Dockerfile used for prometheus-auth is also still at alpine 3.8, so I'll update that to 3.12. |
Related Issue: rancher/rancher#29290
Fantastic, thank you! |
Note to QAWe initially had an issue in #29342 that tracked the 2.4 backport, but this issue is only ever being merged into 2.4 so I closed that ticket out in favor of this. We should check in this ticket that the image is updated both in a 2.4 and 2.5 setup, but since the backend changes necessary are the same for both I'm leaving this as a single ticket to test both. |
This bug fix is validated in rancher: Steps:
Results:
|
Thank you! I'll look forward to seeing this in the next release! |
@jiaqiluo Can you test this version for v2.4.9? |
Close this issue since both v2.4-head and master-head were tested, and v2.4-head is for v2.4.9. |
The Dockerfile for prometheus-auth specifies an old, unmaintained version of Alpine Linux (3.8).
This already contains multiple CVEs, such as:
CVE-2019-1551
CVE-2019-14697
CVE-2019-5482
It also specifies a two year old version of Go (1.11.1) that has multiple security fixes available: https://golang.org/doc/devel/release.html#go1.11
Please update this package and release a new version.
Thanks.
The text was updated successfully, but these errors were encountered: