New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Old version of node_exporter (1.6.1) #16085
Comments
Update node_exporter to 1.7.0. The previous version (1.6.1) was flagged by security scanners (such as Trivy) with HIGH-severity CVE-2023-39325. 1.7.0 release fixed that problem. Fixes scylladb#16085
Update node_exporter to 1.7.0. The previous version (1.6.1) was flagged by security scanners (such as Trivy) with HIGH-severity CVE-2023-39325. 1.7.0 release fixed that problem. [Botond: regenerate frozen toolchain] Fixes scylladb#16085 Closes scylladb#16086
We could backport it, but I'd like a tiny run that proves that node_exporter starts correctly and exports metrics. |
Will be part of next sprint - https://github.com/scylladb/qa-tasks/issues/1562 |
@avikivity is it still waiting for verification before backports? |
Please test. |
Tested with "5.5.0~dev-0.20231122.65e42e4166ce" and node_exporter works fine.
Output Example:
|
Can we do the backports today? |
ping @avikivity |
I'll regenerate now. |
In 5.2 we have node_exporter 1.4.0. Is it vulnerable? Or was the vulnerability introduced later? |
Update node_exporter to 1.7.0. The previous version (1.6.1) was flagged by security scanners (such as Trivy) with HIGH-severity CVE-2023-39325. 1.7.0 release fixed that problem. [Botond: regenerate frozen toolchain] Fixes #16085 Closes #16086 Closes #16090 (cherry picked from commit 321459e) [avi: regenerate frozen toolchain]
Update node_exporter to 1.7.0. The previous version (1.6.1) was flagged by security scanners (such as Trivy) with HIGH-severity CVE-2023-39325. 1.7.0 release fixed that problem. [Botond: regenerate frozen toolchain] Fixes #16085 Closes #16086 Closes #16090 (cherry picked from commit 321459e) [avi: regenerate frozen toolchain]
|
Update node_exporter to 1.7.0. The previous version (1.6.1) was flagged by security scanners (such as Trivy) with HIGH-severity CVE-2023-39325. 1.7.0 release fixed that problem. [Botond: regenerate frozen toolchain] Fixes #16085 Closes #16086 Closes #16090 (cherry picked from commit 321459e) [avi: regenerate frozen toolchain] [avi: update build script to work around https://users.rust-lang.org/t/cargo-uses-too-much-memory-being-run-in-qemu/76531]
Backported to 5.1, 5.2, 5.4. |
The current version of node_exporter used in ScyllaDB images is 1.6.1 (as of 6bcf3ac). However, this version is flagged by security scanners with HIGH-severity CVE-2023-39325 (it uses old version of
golang.org/x/net
).node_exporter should be updated to a later version 1.7.0 that fixed this problem.
The text was updated successfully, but these errors were encountered: