prometheus-auth is using an old unmaintained version of Alpine Linux. #29290
Comments
|
Thanks for submitting this issue to us! FYI I believe the Dockerfile.dapper linked in the original issue description is the one used by Dapper for our build scripts, so the Go version shouldn't make a difference, but I'll update that anyways. However, it seems like the Dockerfile used for prometheus-auth is also still at alpine 3.8, so I'll update that to 3.12. |
Related Issue: rancher/rancher#29290
Fantastic, thank you! |
Note to QAWe initially had an issue in #29342 that tracked the 2.4 backport, but this issue is only ever being merged into 2.4 so I closed that ticket out in favor of this. We should check in this ticket that the image is updated both in a 2.4 and 2.5 setup, but since the backend changes necessary are the same for both I'm leaving this as a single ticket to test both. |
|
This bug fix is validated in rancher: Steps:
Results:
|
|
Thank you! I'll look forward to seeing this in the next release! |
|
@jiaqiluo Can you test this version for v2.4.9? |
|
Close this issue since both v2.4-head and master-head were tested, and v2.4-head is for v2.4.9. |
The Dockerfile for prometheus-auth specifies an old, unmaintained version of Alpine Linux (3.8).
This already contains multiple CVEs, such as:
CVE-2019-1551
CVE-2019-14697
CVE-2019-5482
It also specifies a two year old version of Go (1.11.1) that has multiple security fixes available: https://golang.org/doc/devel/release.html#go1.11
Please update this package and release a new version.
Thanks.
The text was updated successfully, but these errors were encountered: